On Mar 28, 2018, at 7:34 AM, Mitch Sullivan <mitch.sullivan@swarm64.com> wrote:
I've been rolling out an instance of freeradius in our environment. The documentation has been terrific and this mailing list also very helpful very helpful
That's good to hear.
I'm trying to use EAP - TTLS for authentication. I can bind to our IPA server without issue. I made a testing environment and was able to get accept packets without issue. However, while trying to test self-signed certificates in our live environment I encounter issue with what looks like problems with hashed passwords. (I think IPA uses salted MD5 hash passwords by default, but our environment uses SSHA1 passwords due to a migration from openLDAP).
FreeRADIUS can handle any common password hashing mechanism.
My implementation steps are.
Install freeradius and freeradius ldap
remove testing certs and generate self signed certs
edit ldap module to bind to our IPA
edit EAP module to set type to TTLS, input certificate info, and set TTLS tunnel type to GTC
add Wifi AP to clients.conf
That's good...
below is the output from debug mode. I've blanked out any company information for security purposes. ... (6) server inner-tunnel { ... rlm_ldap (ldap): Reserved connection (0) (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap: --> (uid=PRIVATE) (6) ldap: Performing search in "PRIVATE" with filter "(PRIVATE)", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=(PRIVATE)" (6) ldap: Processing user attributes (6) ldap: control:Password-With-Header += '{SSHA}h5MDNNZSAO+XIU+/xk/oLfupxBPpbBMjLs7WXA=='
That's good.
(6) eap_gtc: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) eap_gtc: Auth-Type PAP { (6) pap: Login attempt with password (6) pap: Comparing with "known-good" SSHA-Password (6) pap: ERROR: SSHA digest does not match "known good" digest (6) pap: Passwords don't match
And that's the problem. The client has entered the wrong password. Use the right password and it will work. Alan DeKok.