EAP-TTLS Not working

[Matthew Newton]

On Fri, Sep 02, 2016 at 02:49:31PM +0200, Matthew Pulis wrote:
> I am trying to get EAP-TTLS working but to no avail. I am using Android
> tablet to test this WiFi connection. These are the settings: EAP method:
> TTLS. Phase 2 authentication: None. CA certificate (unspecified). Identity:
> mpulis. Anonymous identity: <BLANK> and Password: openldap.

You need to set the Phase 2 auth, as has already been said.

> The user if tested using radtest works find as per below:
> 
> radius at radius:~$ radtest mpulis openldap localhost 1812 testing456
> Sent Access-Request Id 95 from 0.0.0.0:39322 to 127.0.0.1:1812 length 76
>         User-Name = "mpulis"
...
> Received Access-Accept Id 95 from 127.0.0.1:1812 to 0.0.0.0:0 length 36

This is not using EAP.

> (1) ldap: User object found at DN
> "cn=mpulis,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (1) ldap: Processing user attributes
> (1) ldap: control:Password-With-Header +=
> '{ssha}VlINJtlRL+9CuOK5itOeTIvRfwKRSNj9xllpiQ=='
> rlm_ldap (ldap): Released connection (0)
...
> (1) pap: Converted: Password-With-Header -> SSHA1-Password
> (1) pap: Removing &control:Password-With-Header
> (1) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
> bytes

The password you get from LDAP is hashed with ssha. That means the
only option you can use for the Phase2 auth is "PAP".

You'll need to move "ldap" from the outer (sites-enabled/default)
to the inner (sites-enabled/inner-tunnel) as well.

Matthew

-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>