Working With EAP-TTLS, and LDAP
Alan DeKok
aland at deployingradius.com
Fri Mar 22 20:58:13 CET 2019
On Mar 22, 2019, at 3:33 PM, Nate . <nate2077developer at gmail.com> wrote:
> Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the new
> log, I should be adding the update control?
> server inner-tunnel {
> authenticate {
> Auth-Type LDAP {
> if ((ok || updated) && User-Password) {
> update {
> control:Auth-Type := ldap
i.e. "in the Auth-Type ldap block, tell the server to use the Auth-Type ldap block"
That doesn't make sense.
You're making random changes without really understanding what's going on. Don't do that.
Run "radtest" on the *inner-tunnel* virtual server. The instructions for this are at the top of the "inner-tunnel" virtual server. Don't do anything with EAP until radtest works.
Go back to the default configuration for the "inner-tunnel" virtual server. It works.
Then, you want to *check passwords against LDAP*. This means reading the "inner-tunnel" virtual server, and looking for "ldap". Then, reading the comments there.
In short, what you want to do is:
1) uncomment the "Auth-Type ldap" section in the "authenticate" section.
This allows the server to check passwords against LDAP.
2) tell the server to use the above block for checking User-Password.
This means editing the "authorize" section. The last entry in the "authorize" section is "pap". Add some text before it:
authorize {
...
if (User-Password) {
update control {
Auth-Type := LDAP
}
}
pap
}
Test it with "radtest" on the *inner tunnel only*. If that works, then TTLS + PAP should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list