<br>Hi all, <br><br>I've been trying to get over this configuration but without any success. I'm using freeradius-1.1.1.<br><br>First I had this working with eap-tls and peap for authentication and ldap for authorization, it was working quite well. As I have to integrate this configuration with an ldap that has encrypted passwords I decide to change authtype to pap over eap-ttls after watching Protocol and Password Compatibility in Alan's site.
<br><br>The authorization part of ldap does the following:<br><br>A user will be authorized to use remote access if he is in the ldap and depending on the access policy defined if he belongs to a white or blacklist.<br>After being authorized within the authorize section the user find these lines:
<br> <br> users_branch<br> eap<br><br>user-branch is the users file I use that has entries by the form (and nothing else ): <br><br> DEFAULT ldap11-Ldap-Group == Local
<br> Tunnel-Type=VLAN,<br> Tunnel-Medium-Type=6,<br> Tunnel-Private-Group-Id=Local,<br> Fall-Through = No<br><br>This, as I said, was working right.
<br><br>Now the only things I've added to radiusd.conf is<br><br>modules {<br> ( I've commented any other type like chap, mschap, peap, leap... only the onse listed here are set )<br><br> ldap-modules-stuff
<br> pap {<br> encryption_scheme = sha1<br> }<br> eap {<br> default_eap_type = ttls<br> ...<br> gtc {
<br> auth_type = PAP # I've test without configuring gtc too and setting default_eap_type in ttls to md5 and commenting it out <br> }<br> tls {<br>
my old configuration that works<br> }<br> ttls {<br> default_eap_type = gtc<br> copy_request_to_tunnel = yes
<br> use_tunneled_reply = yes<br> }<br> }<br> <br> }<br><br><br>authorize {<br> ...<br> ldap stuff
<br> user_branch<br> eap<br> <br>}<br>authenticate {<br> Auth-Type PAP {<br> pap<br> }<br> eap
<br>}<br><br> <br><br><br>Then in the logs I can see that ( I don't put them because they are nearly endless ):<br><br> The user is authorized and the password is got from the ldap (rlm_ldap: Adding userPassword as User-Password, value {sha}rur+4yJuecpmc8vxS/8wAyAMNHM= & op=21)
<br> .........<br> rad_check_password: Found Auth-Type EAP<br> auth: type "EAP"<br> ...........<br> The eap-ttls tunnel is ok
<br> ..........<br> And after matching the group Local in my users-file:<br><br> auth: type Local<br> auth: user supplied User-Password does NOT match local User-Password
<br> auth: Failed to validate the user.<br><br> Access-reject <br> <br><br>When I try this with clear-text passwords it works quite well but I don't know if it is working the way I want or not (with pap), because neither with encrypted nor with clear-text I can't see in the logs a reference to rlm_pap or gtc...
<br><br>I imagine I'm doing something wrong but can't figure out what it is.<br><br>I've googled on the internet and in the mailing list but I don't make any progress with what I've found. <br><br>So any comments are welcome
<br><br>Thanks<br><br> <br>