Freeradius, OpenLDAP, DD-WRT

I had the reason to set up the wireless network in my office recently. Since this is an office network, I decided to put it on the right path, even if I was the only one using the wireless at the moment.

I started with setting up a public WEP network. This was for the use of guests to the office and is considered as part of the RED zone in my firewall settings. Then, I wanted to set up a GREEN wireless zone and felt that WPA-EAP was the best way to go for an enterprise class installation.

Since all my back-end infrastructure is Debian based, I decided to go with whatever was in the box – Freeradius and OpenLDAP. OpenLDAP was easy to setup as I have configured many LDAP servers in the past. It was fairly straight-forward. Then, came the Freeradius settings.

The default installation of Freeradius has actually got almost everything done. All I had to do was to configure the LDAP module and voila. It works! (with some minor caveats). With the default PEAP-MSCHAPv2 setup, all LDAP passwords must be stored in clear-text, which kind of sucked. So, I decided to go with TTLS-PAP instead, which allowed the passwords to be stored in any form, including the Salted-SHA1 encoding I had chosen for my LDAP.

ldap {
server = "localhost"
identity = ""
password =
basedn = ""
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
password_attribute = userPassword
set_auth_type = no

For the DD-WRT settings, I had to configure Freeradius to accept connections from a new client with a shared secret. Then, I configured DD-WRT with the shared secret to connect to the radius server. Done.

#replace with DD-WRT IP
client 10.X.X.X {
secret =
shortname =

I have been using it for several days and I have to say that it has been pretty decent so far. I have no complaints.


Published by

Shawn Tan

Chip Doctor, Chartered/Professional Engineer, Entrepreneur, Law Graduate.

5 thoughts on “Freeradius, OpenLDAP, DD-WRT”

  1. Hey. would you mind sharing all the configuration files necessary to achieve this? That would be awsome. Did you change anything else in freeradius configuration? How does it work with TTLS-PAP? I have OpenLDAP and FreeRadius on ubuntu and dd-wrt

    1. Yes, you need to configure FreeRadius to talk to OpenLDAP. I’ve already shared the relevant sections for FreeRadius. You need to have a working LDAP configuration before hand.

      TTLS-PAP merely runs PAP over a TLS connection. So, you can possibly use 2-factor authentication though I’ve only used one. I may add certificate authentication after this.

      1. I have the LDAP connection work however I would be interested in a more in depth tutorial however thank you for what you have posted so far.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s