Erik Karlsson wrote:
I am trying to set up a simple Wlan-authentication using EAP-TTLS to avoid client certificates and PAM to use the server system authentication scheme. PAM doesn't know about users, and the users are situated in a LDAP database, which I think makes it logical to use rlm_ldap for authorization. I.e. I just want to check that users exist in LDAP and then move on to checking the password against PAM.
Why not also get the passwords from ldap? Why use PAM at all?
The problem is that PAM is never used. This seems to be an artifact of the fact that rlm_ldap is supposed to fetch a "known good" password, but I don't have passwords in the LDAP database. rlm_ldap is indeed successful in authorizing, but there is no Auth-Type set to handle the authentication.
If you want to use PAM, you have to force it via Auth-Type.
If I for example force Auth-Type to PAM in the users file (not good, I know), TTLS-negotiation is never run.
Because TTLS involves *two* authentication sessions. An outer one for EAP-TTLS, and an inner "tunneled" session where the real user-name && password is sent. Follow my web site (deployingradius.com) to get EAP-TTLS working. Once that's working, add LDAP authorization. Then, add PAM to the *inner* tunnel section. Alan DeKok.