Freeradius with LDAP backend and 802.1x



  • Have tried to setup this a long time ago, now trying again but still can’t get it to work.

    Latest Freeradius 3 package 0.15.5_2, with LDAP (to AD) enabled and working. Radtest can authenticate both an internal (freeradius) user as an LDAP user.
    However, an acesss point with WPA2 enterprise enabled, pointing to the pfsense machine can ONLY authenticate the internal users. LDAP fails with:

    Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/<via Auth-Type = eap>] (from client WAP2 port 17 cli 908d6c802afb via TLS tunnel)
    

    Have tried with dd-wrt, tomato and openwrt in the access point to no avail, all the same message. Can’t configure much there else then radius IP, port and shared secret.

    Have set Active Directory Compatibility in the Freeradius LDAP settings and played around with the EAP settings. For now the default is PEAP, in the EAP-PEAP section the default is MSCHAPv2 and Copy Request to Tunnel is set to Yes. According to some info I have found this should be OK, but in my case it isn’t however. Still think it must be something there, but can’t figure it out yet.

    There are quite a few how-to’s about pfsense and freeradius, but none of them also cover LDAP as authentication backend en 802.1x authentication involved.
    Is there anyone using a similar setup and actually got it working? To me this doesn’t seem to be a very exotic setup...
    Any other suggetions or options to try?



  • @wickeren said in Freeradius with LDAP backend and 802.1x:

    Have set Active Directory Compatibility in the Freeradius LDAP settings and played around with the EAP settings. For now the default is PEAP, in the EAP-PEAP section the default is MSCHAPv2 and Copy Request to Tunnel is set to Yes. According to some info I have found this should be OK, but in my case it isn’t however. Still think it must be something there, but can’t figure it out yet.

    Hi , I tried to configure free-radius on Pfsense (authentication via ldap or Kerberos) , i have AD 2008 .
    can you share your configuration please