Manage client in LDAP...

Alan DeKok aland at
Mon Oct 11 15:05:39 CEST 2021

On Oct 10, 2021, at 12:15 PM, Marco Gaiarin <gaio at> wrote:
> I'm not an expert on freeradius, but at work i manage successfully a setup
> with freeradius binded to an AD domain, successfully autheticate wireless
> clients with MSCHAPv2.

  That's good.

> At home i need to extend my wireless coverage (for now, i use an hostapd and
> a wireless interface in my server), and so i've thinked about using LDAP as
> a source for auth data, using as AP some OpenWRT/LEDE routers.
> Yes, i can use WPA/WPA2 personal, but i want to experiment and continue to
> assign different credential for different MAC addess. ;)


> I've found the basic setup info on:
> and some other info on how add clients to the LDAP on:

  I think you mean adding user accounts to LDAP.  But OK...

> Also i've found some forum/blog pages around, but all seems to be about
> freeradius 2, and does not provide clues on why (at least to me).

  People write docs, and then don't update them for 10 years.  :(

> For example, i suppose i have to use WPA2-Enterprise with EAP-TTLS, but i've
> not found a place that clarify if the password in LDAP have to be 'in
> clear', or hashed, and how hashed.

  It depends...

> Someone have some info, or a good link? Thanks.

  What's safest is to put salted / encrypted passwords into the database, and then use TTLS+PAP.  But not everything supports this.

  Alan DeKok.

More information about the Freeradius-Users mailing list