EAP-TTLS/PAP -> LDAP for WPA2

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Jul 6 18:08:55 CEST 2006 

Hi,

> I'm using freeradius-1.1.2 on a freebsd server and i've compiled it
> against openldap-2.3.24 which all went well. I'm attempting to set up
> secure wireless with WPA2 using our ldap directory for authentication.
> We have a replica of our directory running on the freeradius server.
> Originally i had hoped to use some sort of
> web-redirect-to-an-authentication-page system like you sometimes see in
> hotels but i can't find anything about that (any information welcome).

"captive portal" - there are several software tools that will do this...
eg http://en.wikipedia.org/wiki/Captive_portal

most people seem to be moving away from this method as it is riddled with
possible security compromises.

> After reading around, the best form of authentication i can see would be
> eap-ttls with pap as the inner protocol. I believe (from comments in the
> radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now,
> i've set it up in a way that appears to be mostly right and i *can*
> authenticate with my username/password in ldap but doing a tcpdump on
> the radius server worries me. I can see my username passed in the clear
> in the packets so i'm concerned it's not using tls at all. I told the
> wireless client to use ttls so i can't understand what's going on.

PAP uses clear text (unencrypted) password authentication. whilst
the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted
session) when you CAN see the PAP in the clear is when its being sent
over to LDAP - so you need to make sure that that communication is
encrpyted...either by making sure its configured to use SSL for its
communication channel...or simply 'stunnel'ing the traffic.

> modules {
> 	ldap {
>                 server = "localhost"
> 		filter = "(uid=%u)"
>                  base_filter = "(objectclass=radiusprofile)"
> 		start_tls = no
                 ^^^^^^^^^^^^^^

this!

 > 		dictionary_mapping = ${raddbdir}/ldap.attrmap
> 	}
> }
> 
> authorize {
> 		eap
> 		ldap
> }
>

alan

More information about the Freeradius-Users mailing list