Working With EAP-TTLS, and LDAP

Nate . nate2077developer at gmail.com
Tue Mar 26 14:09:45 CET 2019 

I think I understand it better now, I've made those changes, and connecting
an android phone with the required security preferences is working! Now I'm
struggling to get an Apple desktop to let me choose what protocols to use,
so I'm working on figuring out why that is now. I've already been contacted
one on one by 8 other people asking for this exact same setup,
mac/windows/android environment, with Freeradius using LDAP to authenticate
via Googles Applet.

I'll update you on what I find.

Thank you for the help,


On Fri, Mar 22, 2019 at 4:57 PM Alan Buxey <alan.buxey at gmail.com> wrote:

> hi,
>
> >Alan, I'm not quite following you. So you are saying everything should be
> >working or are you re-iterating what Matthew said?
>
> no. its not working - as you know - and yes, you need to follow my
> advice and Matthews.
>
> look at your default server - the ldap  parts in authenticate and
> authorize section. they work for
> non EAP (the radtest) - so make similar config in the inner-tunnel
> (which is whats used for EAP)
>
> Auth-Type only belongs in certain places...you cannot just stick it around.
>
> as Alan says, there is a way to directly test the inner-tunnel policy
> directly without
> involving EAP (for some types of things and configs) - use its local
> listener....the high port
> configured/available to it (18120 or such)
>
> alan
>
> On Fri, 22 Mar 2019 at 19:35, Nate . <nate2077developer at gmail.com> wrote:
> >
> > Alan, I'm not quite following you. So you are saying everything should be
> > working or are you re-iterating what Matthew said?
> >
> > Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the
> new
> > log, I should be adding the update control?
> > server inner-tunnel {
> > authenticate {
> > Auth-Type LDAP {
> >     if ((ok || updated) && User-Password) {
> >         update {
> >             control:Auth-Type := ldap
> >         }
> >     }
> > }
> > }
> > }
> >
> > Somewhere I remember being instructed that I was supposed to comment out
> > the following in that section...
> > #       Auth-Type LDAP {
> > #               ldap
> > #       }
> >
> >
> >
> > On Fri, Mar 22, 2019 at 2:33 PM Alan Buxey <alan.buxey at gmail.com> wrote:
> >
> > > hi,
> > >
> > > okay - so you arent looking the password up with LDAP (hence the no
> > > known password thing) but you are binding to the LDAP
> > > to check credentials are okay. fine.
> > >
> > > so, assuming that the user and password are the same, once thing that
> > > looks possible is that you dont have the Auth-Type of LDAP
> > > enabled in your inner-tunnel virtual server (thats the bit that deals
> > > with the EAP side of the process with your setup) - you have a
> > > call to ldap enabled in the Authenticate part....but not the other
> > > half...the Authorization.  your LDAP config is sane - as it works with
> > > the radtest method.... so that should be it.
> > >
> > > alan
> > >
> > > On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer at gmail.com>
> wrote:
> > > >
> > > > I thought I had attached them, I'm sorry... I'm running through the
> test
> > > > again, and this time I'll make it super clearer which tests are which
> > > too.
> > > >
> > > > Please don't yell at me, I'm doing my best and it's an extremely
> > > stressful
> > > > time for me. And please understand, I appreciate your help with
> > > everything.
> > > > I've double checked. I have attached the startup part of the logs,
> and
> > > > separated the two tests. The freeradius_radtest is using the
> following
> > > > command:
> > > >
> > > > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0
> testing123
> > > > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812
> length 76
> > > > User-Name = "ldap_user"
> > > > User-Password = "ldap_pass"
> > > > NAS-IP-Address = 192.168.16.111
> > > > NAS-Port = 0
> > > > Message-Authenticator = 0x00
> > > > Cleartext-Password = "ldap_pass"
> > > > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0
> length 20
> > > >
> > > > So I can see here that the LDAP Module is functioning properly.
> > > >
> > > >
> > > > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <
> aland at deployingradius.com>
> > > > wrote:
> > > >
> > > > > On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer at gmail.com>
> > > wrote:
> > > > > >
> > > > > > I have been dealing a few things, so this got delayed,
> apologies. I
> > > am
> > > > > > still unclear on why I am unable to connect via the EAPTTLS-PAP.
> I
> > > have
> > > > > > reviewed the log many times and I don't really understand it.
> > > > >
> > > > >   Then post it here as suggested in the "man" pages, web pages,
> and in
> > > the
> > > > > email you get when you join the list.
> > > > >
> > > > >   How do you expect us to help you when you give us zero
> information?
> > > > >
> > > > > > I noticed a
> > > > > > part of the authentication where it tries the LDAP, binds, and
> then
> > > > > theres
> > > > > > a part where it says "if ((ok || updated) && User-Password)  ->
> > > FALSE"
> > > > > > where it is true on the radtest.
> > > > >
> > > > >   English descriptions are bad.  Post the debug output.  It will be
> > > much,
> > > > > much, faster to solve the problem.
> > > > >
> > > > > > I'm felt certain it's the User-Password
> > > > > > missing or something, but I don't understand why it would be
> > > missing. I
> > > > > > noticed the "(0)   User-Password = " does not appear at the top
> of
> > > the
> > > > > > connection log like the radtest either. Though, on the "Flat file
> > > user
> > > > > > credentials" from my previous email, you can see it is also not
> > > listed at
> > > > > > the top, so maybe it's not that.
> > > > >
> > > > >   <sigh>  Vague descriptions of problems are an utter waste of
> > > everyones
> > > > > time.
> > > > >
> > > > >   Post the debug log.  Read the documentation.  I've been saying
> this
> > > for
> > > > > 20 years, and it is getting tiring.
> > > > >
> > > > >   Alan DeKok.
> > > > >
> > > > >
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > > http://www.freeradius.org/list/users.html
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list