On Nov 26, 2016, at 7:02 AM, Muenz, Michael <m.muenz@spam-fetish.org> wrote:
I have a running setup with privacyIDEA to authenticate VPN users via Token. There's a perl module redirecting the token stuff to the local webserver doing their magic. In order to to run this setup I have to set Default Auth Type to perl in users file.
You need to give a password to Perl. That's the only authentication method which will work.
Now I have a customer asking to extend WiFi security with tokens. My thought was no big deal, but there's EAP! :)
After some google it was clear to use TTLS and PAP. First problem, when I setup my AP's for radius and Default Auth is perl, EAP won't get called.
Yes... telling the server to not do EAP means it doesn't do EAP>
OK, then I set Default Auth to EAP and bang, EAP starts and everything seems to run fine in inner-tunnel. But then I want to bump perl in authenticate section to give the request to the web server.
OK, that works for PAP. Not much else.
What now happens is, that perl won't get recognized and instead again Defaut Auth is chosen and it tries to do MD5.
EAP-MD5, which isn't PAP.
I played around with ttls and md or gtc, inserted perl in authorized section and so on, nothing worked.
Trying random things isn't a good way to solve problems. It's best to understand how things work. In this case, the EAP module handles the outer tunnel. If the inner-tunnel authentication contains PAP, you can put the "perl" module into the authenticate section, as: authenticate { ... Auth-Type PAP { perl } ... } Which is probably the simplest thing to do. EAP-GTC will work, too, but why do that when you have PAP? As for the other authentication methods, see: http://deployingradius.com/documents/protocols/compatibility.html You just cannot use anything other than PAP with Perl. At least, in the way you want to do. Alan DeKok.