EAP-TTLS/PAP -> LDAP for WPA2

Stefan Winter stefan.winter at restena.lu
Thu Jul 6 18:00:53 CEST 2006 

> Quite new to radius and struggling to get my head around things so
> forgive me if my assumptions are wrong. I appear to have the setup
> working but i'm concerned it's not doing what it think it is. I don't
> think the authentication requests are actually going over an encrypted
> channel.

You need to differentiate two parts of the link: a) the data that is passed 
between the client device and the RADIUS server and b) the backend 
communication between RADIUS server and LDAP.

a) is encrypted when using EAP-TTLS
b) may or may not be encrypted, depending on your settings in the RADIUS 
server.

> I'm using freeradius-1.1.2 on a freebsd server and i've compiled it
> against openldap-2.3.24 which all went well. I'm attempting to set up
> secure wireless with WPA2 using our ldap directory for authentication.
> We have a replica of our directory running on the freeradius server.
> Originally i had hoped to use some sort of
> web-redirect-to-an-authentication-page system like you sometimes see in
> hotels but i can't find anything about that (any information welcome).

Try googling for "captive portal".

> After reading around, the best form of authentication i can see would be
> eap-ttls with pap as the inner protocol. I believe (from comments in the
> radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now,

There is a chance that you could, but using MD5 kindof sucks. And it might be 
non-trivial to set up.

> i've set it up in a way that appears to be mostly right and i *can*
> authenticate with my username/password in ldap but doing a tcpdump on
> the radius server worries me.

You should see lots of RADIUS packets going between your server and the client 
(switch/access point) with encrypted payload in the attribute "EAP-Message". 

> I can see my username passed in the clear in the packets so i'm concerned
> it's not using tls at all. I told the wireless client to use ttls so i can't
> understand what's going on.  

You might see the clear text password on packets going from your RADIUS server 
to LDAP (depending on how you set up the LDAP communication). That's what's 
going on.

> The following is a summary of the main changes i made from the
> radiusd.conf and eap.conf files. If i dont mention an attribute it's
> because i didn't change it from the default setting:
>
> radiusd.conf:
>
> modules {
> 	ldap {
>                 server = "localhost"
> 		filter = "(uid=%u)"
>                  base_filter = "(objectclass=radiusprofile)"
> 		start_tls = no

And this is where the non-encrypted backend communication comes from: no TLS 
configured for the LDAP backend.

> 		dictionary_mapping = ${raddbdir}/ldap.attrmap
> 	}
> }
>
> authorize {
> 		eap
> 		ldap
> }
>
> authenticate {
> 	Auth-Type PAP {
> 			pap
>         }
> 	eap
> 	Auth-Type LDAP {
> 			ldap
>         }
> }
>
> eap.conf:
> eap {
> 	default_eap_type = ttls
> 	tls {
> 		private_key_file = ${raddbdir}/certs/radius_key.pem
> 		certificate_file = ${raddbdir}/certs/radius_cert.pem
> 		CA_file = ${raddbdir}/certs/cacert.pem
> 		random_file = ${raddbdir}/certs/random
> 	}
>
> 	ttls {
> 		default_eap_type = md5
> 	}
> }
>
> Now i know that default_eap_type setting looks wrong but i don't know
> what i *should* have there.

The one in ttls {} looks a bit awkward. But if things work, it's okay I guess.

> On the server in /var/log/radiusd.log i see the following:
>
> Wed Jul  5 16:10:32 2006 : Error:     TLS_accept:error in SSLv3 read
> client certificate A
> Wed Jul  5 16:10:32 2006 : Error: rlm_eap: SSL error
> error:00000000:lib(0):func(0):reason(0)
> Wed Jul  5 16:10:32 2006 : Error: rlm_eap: SSL error
> error:00000000:lib(0):func(0):reason(0)

Which is completely normal. It means that the *client* is not sending a 
certificate. TTLS makes him send username and password instead of a 
certificate, so nothing to see here. Please move along.

> I based my certificate generation on the instructions at:
>
> http://homepage.mac.com/andreaswolf/public/wpaeap.html
>
> including using the xpextensions mentioned there. I generated my random
> file using dd and /dev/urandom.

Good boy. And it seems like everything worked out beautifully. Now secure your 
backend communication with TLS as well if you are really concerned about 
that, and you're done.

> I am a little lost and don't know what is best practice. Any advice
> would be appreciated. I've tried googling but haven't found a good guide
> that matches our setup.I can, of course, give more information if needed.

Really? WPA2 is quite a wide-spread scenario. And using LDAP as backend is 
quite common as well.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

More information about the Freeradius-Users mailing list