How to configure non-priveleged LDAP bind in FreeRADIUS 3.0.11

Alan DeKok aland at
Tue Jul 23 21:28:42 CEST 2019

On Jul 23, 2019, at 3:13 PM, Kev Xlr <kevxlre at> wrote:
> I know this is an old thread, but I am attempting to configure the same scenario in Freeradius. 
> The backend database is Azure AD DS with LDAPS enabled, and the goal is to have EAP-TTLS/PAP for wifi access points. Obviously passwords are not in cleartext so users should be authenticated by a simple LDAP bind by the rlm_ldap module.

  As Matthew said, the client is doing PEAP.  Fix that.

> I added Alan’s if statement to default and inner-tunnel to force Auth-Type LDAP


  Nothing in the debug output shows it setting "Auth-Type LDAP".  As an example, in packet 7 it sets Proxy-To-Realm := LOCAL:

(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop

  See?  If there was:

	update control {
		Auth-Type := LDAP

  then it would show up in the debug output.  Since it's not there, it's not configured to do Auth-Type LDAP.

  This is why we ALWAYS say (a) run it in debug mode, and (b) READ the debug output.

  Which files are you edited?  Again from the debug output, it's reading:


  Did you edit that file?  Or another one?

  Alan DeKok.

More information about the Freeradius-Users mailing list