Wi-Fi and LDAP password auth

tnt at kalik.net tnt at kalik.net
Wed Oct 29 21:09:15 CET 2008 

>> > * Not to have to bother about a local CA or any type of PKI (i.e. not
>> >generate certificates for all users, just have them user their
>> >login/pass).

But if you are using a self-signed CA you need to import that CA to the
user device. For Windows into Trusted Root Certificate store. You don't
need client certificates and PKI but you need the CA.

> * Is my Wi-Fi AP working okay? I guess since it's meant to be "dumb"...

Yes, they are ment to be dumb.

> * Is my mobile phone configured okay? I don't know.

No idea.

> * Is my radiusd configured okay? I don't know.

Yes.

> * Is my LDAP client access configured okay? I don't know.

Yes.

> * Are my SSL certificates configured okay? I don't know.

Yes.

> * Am I even trying to right EAP modules/combination/auth? I don't know.

Yes.


>1) The only output I manage to get related to TLS is the following, is
>it normal or does it denote an error?
>
>[tls] Initiate
>[tls] Start returned 1
>

See above about importing CA certificate. I have no idea if you can set a
mobile device to "trust all server certificates". It's a bad idea in
general but it can help with testing (you don't need to import CA then
but users are vulnerable to rougue radius servers and APs).

>2) I keep getting this warning about LDAP passwords, but it seems like
>radiusd did manage to get the two useful hashes, should I worry or is
>the message harmless?
>
>[ldap] looking for check items in directory...
>rlm_ldap: sambaNtPassword -> NT-Password == 0x394133304 [...]
>rlm_ldap: sambaLmPassword -> LM-Password == 0x433042322 [...]
>[ldap] looking for reply items in directory... WARNING: No "known good"
>password was found in LDAP.  Are you sure that the user is configured
>correctly?
>[ldap] user matthias authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>++[ldap] returns ok
>

That's normal. Tou don't have "good" (cleartext) but NT-Password.

>3) What is it I should be configuring exactly on my mobile phone?
>Is EAP-TLS and EAP-PEAP with EAP-MSCHAPv2 something that should be
>working or am I on the wrong track?
>

EAP-TLS requires a client certificate. Stick with PEAP.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list