2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
Sergio Belkin wrote:
Hi,
I had been using EAP-TTLS, but I've commented in an earlier post, I have no luck with securew2 and Vista. So I am planning use a "secondary password" for radius in clear-text. But I'd want to know if TTLS and PEAP can live together, my current eap.conf is as follow:
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/pki/tls/certs/ips-spectrum-key.pem certificate_file = /etc/pki/tls/certs/ips-spectrum-crt.pem CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random cipher_list = "DEFAULT" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } }
Yes. If the supplicant doesn't support TTLS it'll NAK the offer of EAP-TTLS and request PEAP. Default EAP type specifies the EAP type the server initially attempts to negotiate with the supplicant.
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Phil and Arran. I am testing peap and ttls and I only modified default_eap_type to be peap. But I can't connect, this part of the debugging output: rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for pepepe with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [pepepe/<via Auth-Type = EAP>] (from client UP-PVIII-VII port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled (pepepe is the user) I am setting userPassword in cleartext with Luma for LDAP (http://luma.sourceforge.net/ ). What's wrong? Thanks in advance. Should I define 2 virtual servers as Phil suggested? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -