FR + EAP-GTC + LDAP (SHA1)

Alan DeKok aland at deployingradius.com
Wed May 20 15:41:18 CEST 2015


On May 20, 2015, at 7:21 AM, gabriel_skupien <gabriel_skupien at o2.pl> wrote:
> The aim and assumptions:
> -configure FR to authenticate users against OpenLDAP server,
> -FR would use EAP method,
> -passwords in LDAP are stored as SHA1,
> -according to http://deployingradius.com/documents/protocols/compatibility.html the only way to deal with LDAP auth is to use PAP or EAP-GTC. Since client forces EAP method we have no choice than EAP-GTC. Is that correct?

  Yes.

> -clients are EAP-GTC capable,
> -FR v2.2.6.
> 
> After some hours in my lab I finished with the following FR config:
> 1) in eap.conf:
> -in eap general settings I set default_eap_type to "gtc"
> -in gtc section I put "auth_type = LDAP".

  That's probably not necessary.  Just use "auth_type = PAP".  And be sure to list "ldap" in the "authorize" section.

> 2) in sites-enabled/default:
> -authorize section - not touched,
> -authentication section - uncomment "Auth-Type LDAP { ldap }",
> 
> And it is working fine!

  You're usually better off letting the PAP module do the authentication.  But if it works, leave well enough alone.

> Now, the questions:
> a) I am afraid about your comments in gtc section. It stands that:
>                #  Currently, this is only permitted inside of EAP-TTLS,
>                #  or EAP-PEAP.  The module "challenges" the user with
>                #  text, and the response from the user is taken to be
>                #  the User-Password.
>                #
>                #  Proxying the tunneled EAP-GTC session is a bad idea,
>                #  the users password will go over the wire in plain-text,
>                #  for anyone to see.
> Can I use eap-gtc "alone" without PEAP/TTLS?

  Yes, but the passwords go over the network in the clear.

> Secure tunnel is delivered via IPsec connection so I do not bother about security in that case. What is your opinion?

  Can anyone ELSE on the network monitor the traffic in the IPSec connection?  If so, they will be able to see everyone else's traffic.

> b) How would you configure FR to meet mentioned above requirements?

  Use RADIUS over TLS.  But most clients don't support it.

  Alan DeKok.




More information about the Freeradius-Users mailing list