TTLS-PAP authentication with LDAP bind
First off, I'd like to say thanks in advance to anyone who can help me here. I've spent the past few days searching the list archives and other sites for information on how to accomplish this. The overwhelming message from these searches was that "it should just work" and that "the server will figure out what to do." Sadly, that's not the case here. My goals here are straightforward: -Authorize the user in LDAP if a corresponding entry exists (just checking against uid, nothing fancy). -Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients. -Authenticate the user's clear-text password via a simple LDAP bind encrypted via TLS. No userPassword attribute checking here. A simple bind is all. Using version 1.14. Here's my eap.conf with comments stripped out: eap { default_eap_type = ttls timer_expire = 10 ignore_unknown_eap_types = no cisco_accounting_username_bug = no gtc { challenge = "Password: " auth_type = PAP } tls { private_key_password = foo private_key_file = ${raddbdir}/certs/key.pem certificate_file = ${raddbdir}/certs/cert.pem CA_file = ${raddbdir}/certs/sf_issuing.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = gtc } peap { default_eap_type = gtc } } Relevant sections of radius.conf are: ldap { server = "myserverentry" basedn = "myDN" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_cacertfile = /opt/fedora-ds/alias/intCA.pem tls_require_cert = "demand" access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess suffix ntdomain eap files ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap } If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to be detecting that something isn't right with its AAA server and not passing the request on. If I change the supplicants to use their default settings, the requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems to think that something is wrong and presents its certificate instead of my server's. At one point, I had the clients seeing the server's certificate but I can't seem to get back in that state. So I don't think my AP is broken, I'm pretty sure it's my FreeRadius config that's broken. The users file is unchanged and the proper entries are in clients. Yes, I've run the server in debug mode (there are no requests coming in). Thanks, -richard ____________________________________________________________________________________ Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know.
Richard Hesse wrote:
If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never passed to radiusd.
The NAS is broken.
I don't know what's going on but my AP (Aruba 200) seems to be detecting that something isn't right with its AAA server
Disable the Aruba AAA server. If you're using FreeRADIUS, you DO NOT need the Aruba AAA server.
and not passing the request on. If I change the supplicants to use their default settings, the requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems to think that something is wrong and presents its certificate instead of my server's.
Disable the Aruba AAA server.
Yes, I've run the server in debug mode (there are no requests coming in).
Then the NAS is broken. It's not rocket science: If FreeRADIUS isn't getting any requests, then there is NOTHING YOU CAN DO to FreeRADIUS to fix the problem. The NAS is broken. Disable its AAA server. I can't emphasize that enough. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Richard Hesse