Hello!
I am trying to set up a simple Wlan-authentication using EAP-TTLS to
avoid client certificates and PAM to use the server system
authentication scheme. PAM doesn't know about users, and the users are
situated in a LDAP database, which I think makes it logical to use
rlm_ldap for authorization. I.e. I just want to check that users exist
in LDAP and then move on to checking the password against PAM.
The problem is that PAM is never used. This seems to be an artifact of
the fact that rlm_ldap is supposed to fetch a "known good" password, but
I don't have passwords in the LDAP database. rlm_ldap is indeed
successful in authorizing, but there is no Auth-Type set to handle the
authentication.
If I for example force Auth-Type to PAM in the users file (not good, I
know), TTLS-negotiation is never run.
If I add
Auth-Type LDAP {
pam
}
to the authenticate section and let rlm_ldap set Auth-Type, it works
with radtest, but fails using TTLS:
pam_pass: function pam_acct_mgmt FAILED for <USERNAME>. Reason:
Authentication service cannot retrieve authentication info
My configuration is:
FreeRADIUS 2.0.5
sites-enabled/default:
authorize {
preprocess
auth_log
eap {
ok = return
}
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
pam
eap
}
Regards,
Erik Karlsson.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
