David Sotnick <[EMAIL PROTECTED]> wrote: > I'm trying to get EAP-TTLS working on an Avaya WPA WLAN network, using > LDAP as the user/password database. I'm running FreeRadius version 1.0.0.
That shouldn't be a problem. > In an older version of the doc/rlm_eap documentation, it seems to imply > that you can use both EAP and LDAP, but newer documentation states that > because the LDAP module requires the "User-Password" attribute, that when > LDAP is on that EAP won't work. To be a little pickier: LDAP doesn't understand EAP, but FreeRADIUS does. So if you use LDAP as a user/password store, and tie that password to EAP via FreeRADIUS, it will work. If you try to pass the EAP session to an LDAP database, it won't work. > Is it possible to accomplish what I'm trying to do? I want to use TTLS as > the tunnel transport for the EAP stuff, but have FreeRadius send the > client username/password to the back-end LDAP server for authorization and > authentication. Delete the last two words: "... and authentication". Let FreeRADIUS do the authentication work, and let LDAP do the database work. If you configure the LDAP module in "radiusd.conf", and un-comment it's entry in the "authorize" section, then any user who has a clear-text password in LDAP will be able to do PAP, CHAP, MS-CHAP, etc. Once you configure tls && ttls, then those users will be able to do EAP-TTLS, too. The goal of the server is to make all of these authentication/database methods as independent as possible, which makes it easier to configure and deploy. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
