Wi-Fi and LDAP password auth

Matthias Saou thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Wed Oct 29 17:55:28 CET 2008


tnt at kalik.net wrote :

> >My requirements :
> > * Be able to have many different types of clients supported (Windows
> >XP, GNU/Linux wpa_supplicant/NM, mobile devices etc.).
> > * Not to have to bother about a local CA or any type of PKI (i.e. not
> >generate certificates for all users, just have them user their
> >login/pass).
> >
> 
> PEAP should be the protocol most clients will use.
> 
> >Should I go with EAP-PEAP? Is that the "PEAPv0/EAP-MSCHAPv2" from the
> >wiki?
> 
> Yes.

Then I'm still completely lost. I've spent the whole day trying to get
my mobile phone to connect to the Wi-Fi using EAP-TLS and EAP-PEAP with
MSCHAPv2 in the PEAP configuration part. The radiusd debug output isn't
really clear to me, and I'm still not sure where my problem is :

 * Is my Wi-Fi AP working okay? I guess since it's meant to be "dumb"...
 * Is my mobile phone configured okay? I don't know.
 * Is my radiusd configured okay? I don't know.
 * Is my LDAP client access configured okay? I don't know.
 * Are my SSL certificates configured okay? I don't know.
 * Am I even trying to right EAP modules/combination/auth? I don't know.

Pretty tough, eh? :-)

I'll be digging some more, but I do have three quick questions :

1) The only output I manage to get related to TLS is the following, is
it normal or does it denote an error?

[tls] Initiate
[tls] Start returned 1

2) I keep getting this warning about LDAP passwords, but it seems like
radiusd did manage to get the two useful hashes, should I worry or is
the message harmless?

[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x394133304 [...]
rlm_ldap: sambaLmPassword -> LM-Password == 0x433042322 [...]
[ldap] looking for reply items in directory... WARNING: No "known good"
password was found in LDAP.  Are you sure that the user is configured
correctly?
[ldap] user matthias authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok

3) What is it I should be configuring exactly on my mobile phone?
Is EAP-TLS and EAP-PEAP with EAP-MSCHAPv2 something that should be
working or am I on the wrong track?

Matthias

-- 
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora release 9 (Sulphur) - Linux kernel 2.6.26.5-45.fc9.x86_64
Load : 0.19 0.14 0.14



More information about the Freeradius-Users mailing list