EAP-TTLS-PAP-LDAP

[Phil Mayers]

Rohaizam Abu Bakar wrote:
> 
> Thanks Phil..  what a stupid move to paste all that passwd.. I've 
> changed it as soon as i get ur mail... thanks again...
> 
> cannot find any article related to repeating LDAP query for EAP...  pls 
> help..

You don't need to worry about the EAP. The EAP is working fine. It's the 
PAP request that lives inside the EAP that's failing.

> 
> I think the problem coz by RADIUS cannot figure out to set Auth-Type and 
> then it require plain passwd.. When I change password to plain. with the 
> same setting.. it's working...

It's definitely not that. Auth-Type is being set to Local, probably by 
the default entries in the "users" file, and the server is therefore 
trying to compare the passwords in the PAP requests with the ones frmo 
LDAP, which is correct. But as I said, your LDAP directory contains 
password of the form "{crypt}sombytes". This is breaking it. You have 
three choices:

  1. Upgrade the server to a version which can correctly deal with the 
"{type}" prefixes.

  2. Re-format the passwords, either in the LDAP directory or with an 
external script, so that the {type} is stripped and the value set in the 
Crypt-Password attribute. For example, in radiusd.conf:

modules {
   ldap {
     server = ...
     basedn = ...
     # do NOT copy the password attribute here, do it
     # in ldap.attrmap instead - see below for why
     # password_attribute

     # other config items
   }

   exec strip_password_header {
     wait = yes
     program = "/usr/local/bin/strip_password_header.sh"
     input_pairs = config
     output_pairs = config
   }
}

authorize {
   preprocess
   eap
   files
   Autz-Type ttls-inner-bit {
     ldap
     strip_password_header
   }
}

authenticate {
   eap
}

...and in users:

# Match the PAP "inside" bit of EAP-TTLS and set the Autz-Type so
# that we only run the ldap query and crypt password rewrite then
# Also set Auth-Type to Local so the radius server will check the
# passwords
DEFAULT	Client-IP-Address == 127.0.0.1, Autz-Type := ttls-inner-bit, 
Auth-Type := Local

...and in ldap.attrmap:

checkItem	Crypt-Password	userPassword

...and in /usr/local/bin/strip_password_header.sh:

#!/bin/sh

stripped_pw=`echo $CRYPT_PASSWORD | sed -e 's/^{crypt}//g'`
echo "Crypt-Password := \"$stripped_pw\""


Basically, what this does is:
    * do EAP
    * when the inner PAP request happens
      * fetch the "{crypt}foobar" from LDAP
      * rewrite it to "foobar" with a script
      * let the radius server compare the passwords

  3. Stop copying the password over at all, and authenticate the PAP bit 
with an LDAP simple bind to the directory. See the archives for many 
posts about "LDAP simple bind PAP"