On Fri, Oct 28, 2016 at 12:58:38PM +0200, Marlen Caemmerer wrote:
Am 2016-10-27 14:14, schrieb Alan DeKok:
Because MS-CHAPv2 doesn't supply a password.
The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication.
What would you recommend to let FreeRadius authenticate the user? LDAP or users file or something else?
That totally depends on where your usernames/passwords are actually stored. i.e. where is your perl script looking?
In short, EAP-TTLS and PEAP set up a TLS connection between the PC and the RADIUS server. Authentication normally requires a name, so that is the "outer' one. When the TLS session is set up, the *real* name and password are sent inside of the TLS connection. That is the "inner" identity.
Thanks :). So this means I configure the default virtual server to do TTLS and the inner virtual server to do PAP?
Yes.
In the default config I guess I'd have to put eap in the authenticate section.
Is this correct?
Yes. But watch out - by default the users file is read by both the inner and outer virtual servers. So you'll end up setting Auth-Type:=perl for both. Really, as written all over the place, don't set Auth-Type yourself unless you really know what you're doing. And don't use perl to do the authentication - use FreeRADIUS to fetch the credentials and do the auth. It will generally work out what the correct Auth-Type is for you. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>