FreeRADIUS is often deployed with an LDAP directory used as the identity store.
This means that the password is retrieved from the directory as an attribute and then verified by FreeRADIUS. It is important that you know which obfuscation mechanism is being used in your LDAP directory as not all EAP authentication protocols are compatible with all obfuscation types. DeployingRADIUS, Alan DeKok's site, has a handy compatibility matrix that lists authentication systems and their authentication protocol compatibility.
To use LDAP directories with passthrough authentication (such as SASL) with FreeRADIUS, please see the FreeRADIUS + OpenLDAP with SASL topic. This may be your only option if the compatibility matrix shows that the obfuscation type is incompatible with the EAP-TTLS inner authentication type.
To use Active Directory as an LDAP directory, please see the Using Active Directory topic.
freeradius-ldap module, if you haven't already.
ldap module (in
/etc/raddb/mods-available on RedHat/CentOS or
/etc/freeradius/mods-available on Debian/Ubuntu) as per the standard configuration with the server name(s), port(s), and whether TLS is required.
|We recommend you use TLS.|
password options for a user that will have browse and attribute retrieval rights on the LDAP directory.
|We recommend using a user that is as unprivileged as possible and not used for anything else.|
base_dn, from which all searches start, you will find the
updatesection, which returns attributes from LDAP.
userPasswordLDAP attribute, which FreeRADIUS will use to authenticate. If the password attribute in your LDAP directory has a different name, change that here.
Scroll to the
user section. You may wish to modify the
scope settings there to match what your LDAP directory requires to return a single user object. FreeRADIUS will set an
Ldap-UserDN attribute that will be used for binding as a user if the search is successful.
You may wish to test your LDAP search with tools such as
It is rare that network access servers still use PAP. Instead, they use a variety of EAP types, which can wrap PAP to provide better security for user credentials. The default is EAP-MD5.
Depending on the compatibility matrix, you may need to adjust the
default_eap_type for the
ttls EAP type to something different.
The default settings in the
eap module in FreeRADIUS set PAP as the password mechanism for EAP-GTC, so no changes are required. What is required though is setting the default type for EAP conversations:
To set the default EAP type in tunneled EAP conversations, such as EAP-TTLS, scroll to the
ttls section, then set its
default_eap_type to either
PEAP support also includes a