Working With EAP-TTLS, and LDAP

Alan DeKok aland at
Fri Mar 22 20:58:13 CET 2019

On Mar 22, 2019, at 3:33 PM, Nate . <nate2077developer at> wrote:
> Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the new
> log, I should be adding the update control?
> server inner-tunnel {
> authenticate {
> Auth-Type LDAP {
>    if ((ok || updated) && User-Password) {
>        update {
>            control:Auth-Type := ldap

  i.e. "in the Auth-Type ldap block, tell the server to use the Auth-Type ldap block"

  That doesn't make sense.

  You're making random changes without really understanding what's going on.  Don't do that.

  Run "radtest" on the *inner-tunnel* virtual server.  The instructions for this are at the top of the "inner-tunnel" virtual server.  Don't do anything with EAP until radtest works.

  Go back to the default configuration for the "inner-tunnel" virtual server.  It works.

  Then, you want to *check passwords against LDAP*.  This means reading the "inner-tunnel" virtual server, and looking for "ldap".  Then, reading the comments there.

  In short, what you want to do is:

1) uncomment the "Auth-Type ldap" section in the "authenticate" section.

  This allows the server to check passwords against LDAP.

2) tell the server to use the above block for checking User-Password. 

  This means editing the "authorize" section.  The last entry in the "authorize" section is "pap".  Add some text before it:

authorize {
	if (User-Password) {
		update control {
			Auth-Type := LDAP

  Test it with "radtest" on the *inner tunnel only*.  If that works, then TTLS + PAP should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list