Thanks everyone.
Alan, it all came down to the Freeradius proxy statement in the users
file. Once I did that everything worked fine. I am now able to
authenticate to OpenLDAP from the built in OSX client and the secureW2
client for Windows.
******************************users
DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type
:= Wireless_Staff, Freeradius-Proxied-To == 127.0.0.1
******************************radiusd.conf
modules {
pap {
encryption_scheme = clear
}
$INCLUDE ${confdir}/eap.conf
ldap Wireless_Staff {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wireless))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap Wireless_Students {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wirelessStudent))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
instantiate {
exec
expr
}
authorize {
preprocess
eap
files
autztype Wireless_Staff {
Wireless_Staff
}
autztype Wireless_Students {
Wireless_Students
}
}
authenticate {
Auth-Type PAP {
pap
}
authtype Wireless_Staff {
Wireless_Staff
}
authtype Wireless_Students {
Wireless_Students
}
eap
}
preacct {
preprocess
acct_unique
files
}
***************************************eap.conf
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = no
}
}
On Tue, 21 Dec 2004 10:14:40 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Joe Raviele <[EMAIL PROTECTED]> wrote:
> > Now I set users to
> > :
> > DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := EAP
> >
> > and it fails with a different message: malformed EAP
>
> Changing things at random is a guaranteed way to never solve the
> problem.
>
> Again, write down a clear description of what you want to happen,
> and when. Wrote down a description of what attributes are in the
> packets in the different scenarios you define above. Write down how
> to configure the server to match those attributes, and therefore match
> those scenarios, and therefore do what you want.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
