EAP-TTLS/PAP -> LDAP for WPA2

John Allman allmanj at cp.dias.ie
Thu Jul 6 18:51:48 CEST 2006 

Stefan Winter wrote:
> You need to differentiate two parts of the link: a) the data that is passed 
> between the client device and the RADIUS server and b) the backend 
> communication between RADIUS server and LDAP.
> 
> a) is encrypted when using EAP-TTLS
> b) may or may not be encrypted, depending on your settings in the RADIUS 
> server.
> 

Hi Stefan,

Thanks for the quick reply. a) is my concern, b) is not an issue. As i
said in the original mail (or at least i meant to!) there is a replica
of our ldap server running on the same machine as our freeradius server.
It binds to the loopback device only and as such there's no real point
in encrypting traffic.

>> Originally i had hoped to use some sort of
>> web-redirect-to-an-authentication-page system like you sometimes see in
>> hotels but i can't find anything about that (any information welcome).
> 
> Try googling for "captive portal".
> 

Thanks - just didn't know the name of it!

>> After reading around, the best form of authentication i can see would be
>> eap-ttls with pap as the inner protocol. I believe (from comments in the
>> radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now,
> 
> There is a chance that you could, but using MD5 kindof sucks. And it might be 
> non-trivial to set up.
> 

As i understand it, if ttls is working correctly, it should adequately
protect my username/password no matter what inner protocol i use. So,
PAP should be fine, right?

>> i've set it up in a way that appears to be mostly right and i *can*
>> authenticate with my username/password in ldap but doing a tcpdump on
>> the radius server worries me.
> 
> You should see lots of RADIUS packets going between your server and the client 
> (switch/access point) with encrypted payload in the attribute "EAP-Message". 
> 

Ah.It would seem my original tcpdump trunkated the packets so i was
missing some of the attributes. By setting -s 0, i now get the full
RADIUS packets.

The EAP-Message doesn't appear to be encrypted on the initial packet
from the ap to the server. Inside i see Type and Identity (containing my
username. The username is also in the User-Name attribute)

After that, all the EAP-Message packets have Type EAP-TTLS [Funk], which
i suppose is pretty funky from ethereal's point of view. But it's good
news to me. I can look at the SSL fields and it appears that everything
is good.

So i'm feeling much happier. But i'm *not* happy with the fact that my
username is going in the clear. Is there anything i can do about this?
This potentially gives an attacker information he can use to try and
brute force or even just passively get a list of users...

>> On the server in /var/log/radiusd.log i see the following:
>>
>> Wed Jul  5 16:10:32 2006 : Error:     TLS_accept:error in SSLv3 read
>> client certificate A
>> Wed Jul  5 16:10:32 2006 : Error: rlm_eap: SSL error
>> error:00000000:lib(0):func(0):reason(0)
>> Wed Jul  5 16:10:32 2006 : Error: rlm_eap: SSL error
>> error:00000000:lib(0):func(0):reason(0)
> 
> Which is completely normal. It means that the *client* is not sending a 
> certificate. TTLS makes him send username and password instead of a 
> certificate, so nothing to see here. Please move along.
> 

Excellent - good news.


> Good boy. And it seems like everything worked out beautifully. Now secure your 
> backend communication with TLS as well if you are really concerned about 
> that, and you're done.
> 

As i say, not an issue. No encrypted packets on the network between the
radius server and the ldap server as they're on the same host,
communicating over the loopback interface

>> I am a little lost and don't know what is best practice. Any advice
>> would be appreciated. I've tried googling but haven't found a good guide
>> that matches our setup.I can, of course, give more information if needed.
> 
> Really? WPA2 is quite a wide-spread scenario. And using LDAP as backend is 
> quite common as well.
> 

But (imho) all the write-ups dont really explain what's going on.
Myself, i don't understand what the authorize section and authenticate
sections are supposed to do. Could somebody talk to the radius server
directly without encryption using my settings? Can i specify what kinds
of authentication i'll accept from users compared to the types of
backend authentication i can do? I just find it hard to get my head
around it...

Thanks!

John

More information about the Freeradius-Users mailing list