I use FR 2.1.1 for WPA authentication, using TTLS+MSCHAPv2 and LDAP to store users and passwords (in LM/NT hash format). I tried several configurations:
Configuration 1: - no changes in sites-enabled/default; - in sites-enabled/inner-tunnel uncommented "ldap" in authorize and "Auth-Type LDAP" in authenticate. Result: users get access even with an incorrect password. Why?
That shouldn't happen. When thing don't work as expected - debug (radiusd -X). Auth-Type LDAP shouldn't be used unless you have done something else as well.
Configuration 2: - in sites-enabled/default uncommented "ldap" in authorize and "Auth-Type LDAP" in authenticate; - no changes in sites-enabled/inner-tunnel. Result: users aren't authenticated.
That's as expected. Authentication is handled by inner-tunnel and no password is available since ldap is commented out in original settings.
Configuration 3: - in sites-enabled/default uncommented "Auth-Type LDAP" in authenticate;
You can leave that out too.
- in sites-enabled/inner-tunnel uncommented "ldap" in authorize. Result: it seems to work correctly, users get access only with a correct password.
That's the correct way.
I can't understand well the flow of the process between the two virtual servers :(
In your case default virtual server handles creation of TLS tunnel while inner-tunnel server handles mschap authentication (what is being sent inside the tunnel - hence the name). You need to provide password only in the inner-tunnel server. Server should set Auth-Type to mschap on it's own when it detects mschap attributes in inner-tunnel request. Ivan Kalik Kalik Informatika ISP