Radius Testing. EAP-TTLS, (GTC - PAP) SSHA Password

Mitch Sullivan mitch.sullivan at swarm64.com
Wed Mar 28 14:25:26 CEST 2018


Oh also.

For OS X and I OS clients, they seem to be able to download the certificate directly from the server. However, for Linux / Android and Windows clients it doesn't seem to do so. Does this mean the best practice is to issue the self generated certificate to clients manually.

Mitch.

________________________________
From: Mitch Sullivan
Sent: Wednesday, March 28, 2018 2:19:27 PM
To: FreeRadius users mailing list
Subject: Re: Radius Testing. EAP-TTLS, (GTC - PAP) SSHA Password


Thanks Allan. I'm such a goose.
Its working now.

The self signed certificates will work for all common clients. E.G Windows 10 and Android Phones? I guess I'll find out as I test. Everything works fine for apple devices.

Is this my best possible outcome, or is there are better / more secure recommendation?

________________________________
From: Freeradius-Users <freeradius-users-bounces+mitch.sullivan=swarm64.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Wednesday, March 28, 2018 1:53:35 PM
To: FreeRadius users mailing list
Subject: Re: Radius Testing. EAP-TTLS, (GTC - PAP) SSHA Password

On Mar 28, 2018, at 7:34 AM, Mitch Sullivan <mitch.sullivan at swarm64.com> wrote:
> I've been rolling out an instance of freeradius in our environment. The documentation has been terrific and this mailing list also very helpful very helpful

  That's good to hear.

> I'm trying to use EAP - TTLS for authentication. I can bind to our IPA server without issue. I made a testing environment and was able to get accept packets without issue. However, while trying to test self-signed certificates in our live environment I encounter issue with what looks like problems with hashed passwords. (I think IPA uses salted MD5 hash passwords by default, but our environment uses SSHA1 passwords due to a migration from openLDAP).

  FreeRADIUS can handle any common password hashing mechanism.

> My implementation steps are.
>
> Install freeradius and freeradius ldap
>
> remove testing certs and generate self signed certs
>
> edit ldap module to bind to our IPA
>
> edit EAP module to set type to TTLS, input certificate info, and set TTLS tunnel type to GTC
>
> add Wifi AP to clients.conf

  That's good...

> below is the output from debug mode. I've blanked out any company information for security purposes.
> ...
> (6) server inner-tunnel {
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (6) ldap:    --> (uid=PRIVATE)
> (6) ldap: Performing search in "PRIVATE" with filter "(PRIVATE)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: User object found at DN "uid=(PRIVATE)"
> (6) ldap: Processing user attributes
> (6) ldap: control:Password-With-Header += '{SSHA}h5MDNNZSAO+XIU+/xk/oLfupxBPpbBMjLs7WXA=='

  That's good.

> (6) eap_gtc: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6) eap_gtc:   Auth-Type PAP {
> (6) pap: Login attempt with password
> (6) pap: Comparing with "known-good" SSHA-Password
> (6) pap: ERROR: SSHA digest does not match "known good" digest
> (6) pap: Passwords don't match

  And that's the problem.

  The client has entered the wrong password.

  Use the right password and it will work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list