On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote:
On 19.06.2013 14:11, Marco Streich wrote:
We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X.
I will make it short and easy.
You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed.
Not entirely true. With PAP (which is what radtest is doing) then you can work without a cleartext password as auth is (generally) based on a ldap bind. With EAP-TTLS/PAP, you can also work with just the hash in ldap, as (same as clear PAP) you get the password from the client to do a bind with. With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext password from ldap - auth is done by checking this in FreeRADIUS, not by a bind to ldap.
[ldap] login attempt by "a4" with password "whatever" [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user a4 authenticated successfully ++[ldap] returns ok
This works because you're doing PAP. with radtest the user password is sent in cleartext. so YES you can authenticate with ldap because you can BIND to the ldap with the provided password.
you don't have this password with 802.1x/EAP. you work only with challenges, hash and keys.
Apple OS X can do EAP-TTLS/PAP as far as I am aware (native Windows < 8 can't), so this should work. I don't recognise the error you're getting, though - it looks like the client gave up and sent an empty packet. Note you don't need ldap configured in the outer for 802.1X to work - the outer is just doing EAP. It's the inner that will need the ldap modules. Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>