Oh also. For OS X and I OS clients, they seem to be able to download the certificate directly from the server. However, for Linux / Android and Windows clients it doesn't seem to do so. Does this mean the best practice is to issue the self generated certificate to clients manually. Mitch. ________________________________ From: Mitch Sullivan Sent: Wednesday, March 28, 2018 2:19:27 PM To: FreeRadius users mailing list Subject: Re: Radius Testing. EAP-TTLS, (GTC - PAP) SSHA Password Thanks Allan. I'm such a goose. Its working now. The self signed certificates will work for all common clients. E.G Windows 10 and Android Phones? I guess I'll find out as I test. Everything works fine for apple devices. Is this my best possible outcome, or is there are better / more secure recommendation? ________________________________ From: Freeradius-Users <freeradius-users-bounces+mitch.sullivan=swarm64.com@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Sent: Wednesday, March 28, 2018 1:53:35 PM To: FreeRadius users mailing list Subject: Re: Radius Testing. EAP-TTLS, (GTC - PAP) SSHA Password On Mar 28, 2018, at 7:34 AM, Mitch Sullivan <mitch.sullivan@swarm64.com> wrote:
I've been rolling out an instance of freeradius in our environment. The documentation has been terrific and this mailing list also very helpful very helpful
That's good to hear.
I'm trying to use EAP - TTLS for authentication. I can bind to our IPA server without issue. I made a testing environment and was able to get accept packets without issue. However, while trying to test self-signed certificates in our live environment I encounter issue with what looks like problems with hashed passwords. (I think IPA uses salted MD5 hash passwords by default, but our environment uses SSHA1 passwords due to a migration from openLDAP).
FreeRADIUS can handle any common password hashing mechanism.
My implementation steps are.
Install freeradius and freeradius ldap
remove testing certs and generate self signed certs
edit ldap module to bind to our IPA
edit EAP module to set type to TTLS, input certificate info, and set TTLS tunnel type to GTC
add Wifi AP to clients.conf
That's good...
below is the output from debug mode. I've blanked out any company information for security purposes. ... (6) server inner-tunnel { ... rlm_ldap (ldap): Reserved connection (0) (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap: --> (uid=PRIVATE) (6) ldap: Performing search in "PRIVATE" with filter "(PRIVATE)", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=(PRIVATE)" (6) ldap: Processing user attributes (6) ldap: control:Password-With-Header += '{SSHA}h5MDNNZSAO+XIU+/xk/oLfupxBPpbBMjLs7WXA=='
That's good.
(6) eap_gtc: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) eap_gtc: Auth-Type PAP { (6) pap: Login attempt with password (6) pap: Comparing with "known-good" SSHA-Password (6) pap: ERROR: SSHA digest does not match "known good" digest (6) pap: Passwords don't match
And that's the problem. The client has entered the wrong password. Use the right password and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html