trying to get PAP-inside-TTLS working for PAM

Fri Jan 29 00:53:05 CET 2016

I am running freeradius-2.1.12. According to the last post of the following
thread -
http://lists.freeradius.org/pipermail/freeradius-users/2013-February/064927.html
- it is possible to get radius to authenticate against PAM by configuring
it to use PAP inside of TTLS. The first and final posts of that thread
provide the configuration that the poster used to get it working.

In /etc/freeradius/users, I have DEFAULT Auth-Type := PAM

In /etc/pam.d/radiusd, I have the following:

##
auth requisite
/lib/arm-linux-gnueabihf/security/pam_google_authenticator.so
secret=/home/${USER}/.google_authenticator nullok forward_pass

auth sufficient pam_ldap.so use_first_pass

auth required pam_unix.so use_first_pass

##

In /etc/pam.d/sshd, I have the following lines immediately before the usual
@include common-auth line:

auth sufficient pam_radius_auth.so
#

Additionally, I have mimick'ed the configuration given in the
aforementioned thread - the the eap.conf changes, and sites-enabled
changes.

This configuration works perfectly for ssh clients. It works for both ldap
users and local unix users who ssh in from another linux box. I can see in
/var/log/auth.log and the radius debug log that the user's verfication code
is being checked and that their password is being checked against ldap.

But this setup is not working for network devices such as iPad, that are
connecting to a wireless access point, and trying to login with an ldap
user. Said network devices do work but only for users explicitly given in
the /etc/freeradius/users file with a plaintext password attribute. The
wireless device is configured to use PAP inside TTLS, as per instructions
here:
http://cloudessa.com/tips-and-tricks/how-to-setup-eap-ttls-with-inner-pap-on-ios-devices/

Freeradius debug log:

       EAP-Message = 0x0201000a017465737432
        Message-Authenticator = 0xe3e9b79324821a27d40811ef6a24de9a
Fri Jan 22 23:43:36 2016 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Jan 22 23:43:36 2016 : Info: +- entering group authorize {...}
Fri Jan 22 23:43:36 2016 : Info: ++[preprocess] returns ok
Fri Jan 22 23:43:36 2016 : Info: ++[chap] returns noop
Fri Jan 22 23:43:36 2016 : Info: ++[mschap] returns noop
Fri Jan 22 23:43:36 2016 : Info: ++[digest] returns noop
Fri Jan 22 23:43:36 2016 : Info: [suffix] No '@' in User-Name = "test2",
looking up realm NULL
Fri Jan 22 23:43:36 2016 : Info: [suffix] No such realm "NULL"
Fri Jan 22 23:43:36 2016 : Info: ++[suffix] returns noop
Fri Jan 22 23:43:36 2016 : Info: [eap] EAP packet type response id 1 length
10
Fri Jan 22 23:43:36 2016 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jan 22 23:43:36 2016 : Info: ++[eap] returns updated
Fri Jan 22 23:43:36 2016 : Info: [files] users: Matched entry DEFAULT at
line 216
Fri Jan 22 23:43:36 2016 : Info: ++[files] returns ok
Fri Jan 22 23:43:36 2016 : Info: ++[expiration] returns noop
Fri Jan 22 23:43:36 2016 : Info: ++[logintime] returns noop
Fri Jan 22 23:43:36 2016 : Info: [pap] WARNING! No "known good" password
found for the user.  Authentication may
 fail because of this.
Fri Jan 22 23:43:36 2016 : Info: ++[pap] returns noop
Fri Jan 22 23:43:36 2016 : Info: Found Auth-Type = PAM
Fri Jan 22 23:43:36 2016 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Jan 22 23:43:36 2016 : Info: +- entering group authenticate {...}
Fri Jan 22 23:43:36 2016 : Auth: rlm_pam: Attribute "User-Password" is
required for authentication.
Fri Jan 22 23:43:36 2016 : Info: ++[pam] returns invalid
Fri Jan 22 23:43:36 2016 : Info: Failed to authenticate the user.
Fri Jan 22 23:43:36 2016 : Info: Using Post-Auth-Type Reject
Fri Jan 22 23:43:36 2016 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Jan 22 23:43:36 2016 : Info: +- entering group REJECT {...}

- Michael Martinez

-- 
---