802.1x, EAP and LDAP

Mon Mar 3 19:46:59 CET 2008

On Mon, Mar 03, 2008 at 05:23:44PM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> > I'd read that radtest didn't do EAP so I installed Xsupplicant and was using
> > that for tests. That seems to be a more realisic approach. If you think that
> > I can fix the problem by not attempting EAP and using radtest then that is
> > exactly what I shall do. 
> 
>   Yes.  The problem has nothing to do with EAP.
> 
> >>> rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
> >>   You were told to go fix this.  Do it.  Now
> > 
> > I DID. I didn't think that posting the new radius config would be of use but
> > the section in authenticate is DEFINTIELY there and uncommented. Why this
> > message is appearing in the output is a mystery to me.
> 
>   How much of the default configuration file did you edit?  Start with
> the *default* configuration, and make small changes from there.

I've been making changes for 8 hours a day for over a week so it might
differ from the original. However I been back to the defaults twice. As of
tomorrow I'll reinstall and try it again. From what you're saying I believe
I need to put in the LDAP config for our eDirectory and uncomment any LDAP
authorisation/authentication entries. Anything else? 

Then I can use radtest to test the authentication? 

How does the config know to use PAP rather than CHAP/MSCHAP? 

>   The default configuration *works*.
> 
>   If you've been trying to get this working for a long time, then either
> there's a major bug in the version you're using, *or*, you're not
> editing && testing the configuration in a systematic way.

Freeradius 1.1.7 on debian etch. 

I've been through every config guide I can find on the net, several times.
Admittedly at the start I'd only used Radiator so the Freeradius config was
quite different. 

It's only today though that I found a site which explained the limitations
of the PAP/CHAP/MSCHAP with respect to password encryptions. Most guides
assume MSCHAP, for use with PEAP, and most use flat file user
authentication. Not many touch on LDAP and only Novell have eDirectory based
documentation.

> > I'm reading everything and following all the instructions to the letter.
> > Please don't take that sort of attitude. I've explained that I'm not so I'd
> > appreciate it if you'd do the same.
> 
>   My amazement is that it appears to be so hard to get this working.
> Honestly, the default configuration works in the widest possible set of
> circumstances.  I can't tell you how many people just installed the
> server, un-commented the ldap config, pointed it to their local ldap
> server, tested with "radtest", and saw that it worked.

That's what I keep reading and trying but so far nothing. I have set up an
OpenLDAP server but so far I've got the same error messages as with
eDirectory. 

>   It really *is* that easy.  Try it.  If it doesn't work for you, then
> there's something major going wrong.
> 
>   *That's* why configurations are tested in pieces.  If plain PAP
> doesn't work when going to LDAP, then it's a complete and total waste of
> your time to install and configure an 802.1x supplicant.

eDirectory was the only piece I have no control over (managed elsewhere) so
started with Supplicant->RADIUS->files and got that working then attempted
to add LDAP. It seemed to make sense at the time given the plethora of
documentation to help with this and little for RADIUS->LDAP. In hindsight it
was the wrong order but wisdom is not always learned linearly.

I hope that it all works and I won't need to come back other than to thank
you.

Mike

-- 
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*