EAP-GTC w/ "PAP-like" LDAP authentication

[Alan DeKok]

On Jan 28, 2019, at 2:52 PM, Ian Pilcher <arequipeno at gmail.com> wrote:
>> Alan DeKok aland at deployingradius.com Sun Jan 27 20:17:58 CET 2019
>> (a) Make sure PEAP works with certificates.
> 
> Done.  I've verified with tcpdump/Wireshark that the correct certificate
> is being used.

  Good.

>> (b) configure and enable LDAP.  See mods-available/ldap
> 
> Done.
> 
>> Once the LDAP module is available, the server will automatically use
>> it.
> 
> It's trying, but failing.
> 
> (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute

  That's a usual problem.  <sigh>  "security" means not allowing your security server to read the secure passwords.

>> And, the server will automatically grab passwords from LDAP.  And,
>> the server will automatically use those passwords to do EAP-GTC.
> 
> It will try, but it will fail, because it doesn't have permission to
> read passwords/hashes from LDAP.

  Yeah.

> I need to configure FreeRADIUS to bind *as the user* to LDAP.  If the
> bind succeeds then the authentication succeeds.

  That's what the "auth_type" setting is for on the EAP GTC module configuration.  Set it to something else. e.g. "ldap".  And then make sure that "ldap" is listed in the "authenticate" section of the inner-tunnel virtual server.

>> It also helps to describe what you've done, what happened, and why
>> you think it's wrong.  Otherwise, we're limited to:
>> Q: I tried stuff and it doesn't work.  What do I do? A: Try different
>> stuff
>> Which isn't helpful to anyone.  Better questions means better
>> answers.
> 
> Fair enough.  This seems like it would be such a common configuration
> that I would have thought that it would be documented somewhere.

  It is.  Especially if you post debug output showing *exactly* what went wrong.

  Alan DeKok.