Thibault Le Meur <[EMAIL PROTECTED]> wrote: > While usually true, this assumption is a little confusing sometimes. > Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its > inside authentication protocol, a cleartext password is provided to > Freeradius which is then able to use a simple ldap bind exchange to > authenticate the user.
But you still can't force "Auth-Type := LDAP", because then the outer TTLS session will fail. I'm inclined to remove the LDAP "bind as user" entirely, or move it to a completely separate "ldap_bind" module. It's a major cause of problems, and it's rarely necessary. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
