Yet another Freeradius+openldap eap-ttls pap issue

Thu Nov 28 16:13:24 CET 2013

Hello Alan thanks for the reply

I will try to recap how the whole process should perform -IMHO -.
There are two virtual servers:
-default
-inner-tunnel

the default should autenticate clients using the PAP method (for vpn 
remote access) and will be the responsible to the creation and 
maintenance of the TLS tunnel with the supplicant (for eap ttls pap).
In the TLS tunnel the supplicant will perform the PAP that will be 
authenticated by the inner-tunnel virtual server.

Since I'm using an openldap repository the PAP method is performed this 
way: the freeradius binds to the ldap server as admin(or any 
administrator user) and looks for the username and password of the 
supplicant and performs the password comparison (eventually using the 
hash method specified in the userPassword attribute). Is this correct? 
I've read online that there is the "oracle" mode to authenticate users 
against ldap. If I'm not wrong the oracle mode would still be fine for 
PAP even if it is a bit less powerful.

Both default and inner PAP authentication works great (and perform the 
same operations according to the debug).
Of course I've read the debug output from the previous test but I don't 
know where to look for the "guilty" line (since it's not a default 
config but someone else had worked a bit).

If the analysis it is correct I would expect that the eap module changes 
the Auth-Method but I can't see any ldap line in the eap.conf.

Thanks

Il 28/11/2013 14:58, Alan DeKok ha scritto:
> Work wrote:
>> I think I've successfullyconfigured freeradius for the pap
>> authentication with openldap since the radtest returns ok.
>    Read raddb/sites-available/inner-tunnel.  It describes how to test the
> *inner* portion of EAP.  You should test that before going to the full
> EAP tests.
>
>> is this ugly? My company does not want to add radiuschema to the users.
>    It's fine.
>
>> These are the configs:
>    We don't want the configs.  They're not helpful.
>
>> the debug from radius is:
>    Helpful.
>
>> [ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items
>    Which seems OK.
>
>> Found Auth-Type = LDAP
>> +- entering group LDAP {...}
>>    [ldap] Attribute "User-Password" is required for authentication.
>>    You seem to have set "Auth-Type := LDAP" somewhere.
>>    THAT CONFIGURATION IS WRONG.  DELETE IT.
>>    YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
>    What part of that message is unclear?
>
>> Thank you :), hope I'm not missing somithing stupid, I've read a lot of
>> documentation here and there.
>    Reading the debug output helps.  Don't force "Auth-Type := ldap".  The
> default configuration does NOT do this.  So the only way it happens is
> if you changed the configuration to do this.
>
>    Delete that, and it will work.
>
>> ps. password on the LDAP are stored in hash form.
>    Which means you can only use EAP-TTLS / PAP.  All other EAP types will
>    *not* work.
>
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html