Hi all,
I've been trying to get over this configuration but without any success. I'm using freeradius-1.1.1.
First I had this working with eap-tls and peap for authentication and ldap for authorization, it was working quite well. As I have to integrate this configuration with an ldap that has encrypted passwords I decide to change authtype to pap over eap-ttls after watching Protocol and Password Compatibility in Alan's site.
The authorization part of ldap does the following:
A user will be authorized to use remote access if he is in the ldap and depending on the access policy defined if he belongs to a white or blacklist.
After being authorized within the authorize section the user find these lines:
users_branch
eap
user-branch is the users file I use that has entries by the form (and nothing else ):
DEFAULT ldap11-Ldap-Group == Local
Tunnel-Type=VLAN,
Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Local,
Fall-Through = No
This, as I said, was working right.
Now the only things I've added to radiusd.conf is
modules {
( I've commented any other type like chap, mschap, peap, leap... only the onse listed here are set )
ldap-modules-stuff
pap {
encryption_scheme = sha1
}
eap {
default_eap_type = ttls
...
gtc {
auth_type = PAP # I've test without configuring gtc too and setting default_eap_type in ttls to md5 and commenting it out
}
tls {
my old configuration that works
}
ttls {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
}
authorize {
...
ldap stuff
user_branch
eap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
Then in the logs I can see that ( I don't put them because they are nearly endless ):
The user is authorized and the password is got from the ldap (rlm_ldap: Adding userPassword as User-Password, value {sha}rur+4yJuecpmc8vxS/8wAyAMNHM= & op=21)
.........
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
...........
The eap-ttls tunnel is ok
..........
And after matching the group Local in my users-file:
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Access-reject
When I try this with clear-text passwords it works quite well but I don't know if it is working the way I want or not (with pap), because neither with encrypted nor with clear-text I can't see in the logs a reference to rlm_pap or gtc...
I imagine I'm doing something wrong but can't figure out what it is.
I've googled on the internet and in the mailing list but I don't make any progress with what I've found.
So any comments are welcome
Thanks