Thanks everyone. Alan, it all came down to the Freeradius proxy statement in the users file. Once I did that everything worked fine. I am now able to authenticate to OpenLDAP from the built in OSX client and the secureW2 client for Windows.
******************************users DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := Wireless_Staff, Freeradius-Proxied-To == 127.0.0.1 ******************************radiusd.conf modules { pap { encryption_scheme = clear } $INCLUDE ${confdir}/eap.conf ldap Wireless_Staff { server = "ldapchild2.MySchool.edu" basedn = "ou=people,dc=MySchool,dc=edu" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wireless))" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 15 timeout = 4 timelimit = 3 net_timeout = 1 } ldap Wireless_Students { server = "ldapchild2.MySchool.edu" basedn = "ou=people,dc=MySchool,dc=edu" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wirelessStudent))" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 15 timeout = 4 timelimit = 3 net_timeout = 1 } instantiate { exec expr } authorize { preprocess eap files autztype Wireless_Staff { Wireless_Staff } autztype Wireless_Students { Wireless_Students } } authenticate { Auth-Type PAP { pap } authtype Wireless_Staff { Wireless_Staff } authtype Wireless_Students { Wireless_Students } eap } preacct { preprocess acct_unique files } ***************************************eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = no } } On Tue, 21 Dec 2004 10:14:40 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > Joe Raviele <[EMAIL PROTECTED]> wrote: > > Now I set users to > > : > > DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := EAP > > > > and it fails with a different message: malformed EAP > > Changing things at random is a guaranteed way to never solve the > problem. > > Again, write down a clear description of what you want to happen, > and when. Wrote down a description of what attributes are in the > packets in the different scenarios you define above. Write down how > to configure the server to match those attributes, and therefore match > those scenarios, and therefore do what you want. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html