Difficulties trying bind as user to openLDAP
Alan DeKok
aland at deployingradius.com
Fri Mar 7 13:44:55 UTC 2025
On Mar 7, 2025, at 8:14 AM, t5elrues elrues <t5elrues at gmail.com> wrote:
> Did try multiple configurations to make it work without success.
> OpenLDAP has userPassword encrypted in SSHA1 format, which makes it
> difficult to be compatible with all available authentication methods.
PAP is the best choice.
> I was successful on setting it with EAP-TTLS-GTC and as able to
> retrieve userPassword and validate MacOS, iOS and Android devices, but
> couldn't validate Windows devices without a 3rd party software that
> highschool doesn't want to use. EAP-TTLS-PAP was not allowing iOS
> devices to validate as they always tried to use mschapv2 with that
> configuration.
Then the iOS device has to be updated to allow EAP-TTLS-PAP.
> So now I've been trying to do bind as user against LDAP using
> EAP-TTLS-PAP but can't manage to force (Android, iOS and MacOS)
> devices to use this configuration to validate and always try to
> default to mschapv2. Windows doesn't even try to bind to LDAP.
You have to update the supplicant to allow EAP-TTLS-PAP.
> I can see on the debug log it uses auth-type = eap and calls submodule
> eap_ttls which I guess should be correct, but then I see a EAP NAK
> that forces to use eap_mschapv2 even though I think I've commented it
> to not be used in the configuration.
Yes, the supplicant is saying "no" to the server request, and then is sating "I want to use EAP-MSCHAPv2".
Nothing you do to the server will fix this. The only solution is to allow EAP-TTLS-PAP on the supplicant.
Alan DeKok.
More information about the Freeradius-Users
mailing list