Working With EAP-TTLS, and LDAP

Nate . nate2077developer at
Thu Mar 21 15:57:44 CET 2019

I have been dealing a few things, so this got delayed, apologies. I am
still unclear on why I am unable to connect via the EAPTTLS-PAP. I have
reviewed the log many times and I don't really understand it. I noticed a
part of the authentication where it tries the LDAP, binds, and then theres
a part where it says "if ((ok || updated) && User-Password)  -> FALSE"
where it is true on the radtest. I'm felt certain it's the User-Password
missing or something, but I don't understand why it would be missing. I
noticed the "(0)   User-Password = " does not appear at the top of the
connection log like the radtest either. Though, on the "Flat file user
credentials" from my previous email, you can see it is also not listed at
the top, so maybe it's not that.

Thank you for your time,

On Fri, Mar 8, 2019 at 3:59 PM Nate . <nate2077developer at> wrote:

> I realized my stupidity here. Using PAP, but for some reason only my phone
> will use PAP, our desktops are not giving me any choice. I found this:
> I had originally followed that in my very first round of trying all of
> this, but it never got it working.
> I've also tested connecting using the flat user credentials, it worked! I
> attached that result too, just in case.
> On Fri, Mar 8, 2019 at 1:02 PM Nate . <nate2077developer at> wrote:
>> Sorry for the delay. I've updated the files, LDAP is working now, I'm
>> sorry I didn't catch that part in the configuration, I feel slightly
>> overwhelmed. Good news though, LDAP is working using "radtest -t pap" and
>> without the "-t pap".
>> I've gone ahead and tested via the Wireless controller now, and I am
>> seeing..
>> (9) mschap: WARNING: No Cleartext-Password configured.  Cannot create
>> NT-Password
>> (9) mschap: WARNING: No Cleartext-Password configured.  Cannot create
>> LM-Password
>> and
>> (9) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
>> authentication
>> (9) mschap: ERROR: MS-CHAP2-Response is incorrect
>> Now, I know there's a way to map attributes using the LDAP modules
>> 'update' section, but I have no idea how this works and I also do not know
>> what googles structure is. So if this is the route I have to take, I'll
>> have to do a bit of research on that then. I feel like that's what the
>> problem is here, but at the same time, Authentication via radtest was
>> successful, so I am having doubts.
>> I've attached a full log of me connecting via WIFI for convenience.
>> On Fri, Mar 8, 2019 at 12:05 PM Alan DeKok <aland at>
>> wrote:
>>> On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer at> wrote:
>>> >
>>> > Ok, duly noted. I've restored the defaults. Migrated settings for
>>> > certificates, and the LDAP. Now my LDAP isn't working anymore. Where
>>> am I
>>> > looking to edit first so that I can begin testing and not accidentally
>>> jump
>>> > ahead of myself?
>>> > I added the flat file user, as many recommend, that's working. "radtest
>>> > flatuser testpass 0 testing123"
>>> > When I run the test using my LDAP credentials I get "ERROR: No
>>> Auth-Type
>>> > found: rejecting the user via Post-Auth-Type = Reject"
>>>   See mods-available/ldap.  It has documentation on how to fix this.
>>> Look for "Auth-Type".
>>>   You will also need to uncomment the "Auth-Type LDAP" block
>>> sites-enabled/default, in the "authenticate" section.
>>>   Alan DeKok.
>>> -
>>> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list