EAP-TTLS configuration with PAP inner
Hi, Apologies if this has been asked before. I am trying to configure freeradius to replicate our current radius server, there are a couple of things that im not clear about. We tend to use a anonymous@realm identity for the EAP outer ID, in our current radius server this is defined in a users file and has the format of anonymous Encrypted-Password=nevermatch is there a similar thing in freeradius and where should this be defined ? In the eap.conf file under the ttls section it asks for " default_eap_type = tls" if I am using a pap password for the inner that comes from a ldap server should I comment this section out ? Or will the server ignore it ? Thanks Colin -- ----------------------------------------------------------------------- Colin Byelong Email: C.Byelong@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT ------------------------------------------------------------------------
Hi,
We tend to use a anonymous@realm identity for the EAP outer ID, in our current radius server this is defined in a users file and has the format of anonymous Encrypted-Password=nevermatch is there a similar thing in freeradius and where should this be defined ?
IIRC, this is just so that the user 'anonymous' is never treated as a real user so no real challenges regarding this ID are sent to the LDAP or SQL backend? We've never had to define an 'anonymous' username anywhere in FreeRADIUS config for this to not be a problem....basically, if you have anonymous@realm then FreeRADIUS suffic/realm/prefix code will note the realm part and proxy it through..and its its EAP it'll be proxied to the inner-tunnel (from then on the InnerID is what matters!)
In the eap.conf file under the ttls section it asks for " default_eap_type = tls" if I am using a pap password for the inner that comes from a ldap server should I comment this section out ? Or will the server ignore it ?
thats the default EAP type and hence the one that is initially challenged... if you want to optimize things then set it to you most commonly used method....we have it as 'peap' here but you'll be EAP-TTLS/PAP'ing? so that'd be 'ttls' alan
Hi Thanks for the quck reply.
Hi,
We tend to use a anonymous@realm identity for the EAP outer ID, in our current radius server this is defined in a users file and has the format of anonymous Encrypted-Password=nevermatch is there a similar thing in freeradius and where should this be defined ?
IIRC, this is just so that the user 'anonymous' is never treated as a real user so no real challenges regarding this ID are sent to the LDAP or SQL backend?
We've never had to define an 'anonymous' username anywhere in FreeRADIUS config for this to not be a problem....basically, if you have anonymous@realm then FreeRADIUS suffic/realm/prefix code will note the realm part and proxy it through..and its its EAP it'll be proxied to the inner-tunnel (from then on the InnerID is what matters!)
Thanks I will try and configure this.
In the eap.conf file under the ttls section it asks for " default_eap_type = tls" if I am using a pap password for the inner that comes from a ldap server should I comment this section out ? Or will the server ignore it ?
thats the default EAP type and hence the one that is initially challenged... if you want to optimize things then set it to you most commonly used method....we have it as 'peap' here but you'll be EAP-TTLS/PAP'ing? so that'd be 'ttls'
I thought it should be ttls but I found this to be a little confusing "The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # TTLS tunnel, we recommend using EAP-MD5. # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. as I have eap { default_eap_type = ttls Thanks Colin
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------------- Colin Byelong Email: C.Byelong@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT ------------------------------------------------------------------------
Hi,
I thought it should be ttls but I found this to be a little confusing
aye. there are a couple of 'default_eap_type' lines - one for the main EAP engine..and then entries under a couple of the tunnelled types (eg peap and ttls) eap { default_eap_type = ttls ... ... } is correct under the ttls {} config you can have 'md5' or 'gtc' - i dont think that 'pap' is a valid entry though as that is not an EAP type. alan
On 23/02/2010 10:44, Alan Buxey wrote:
Hi,
aye. there are a couple of 'default_eap_type' lines - one for the main EAP engine..and then entries under a couple of the tunnelled types (eg peap and ttls)
eap { default_eap_type = ttls ... ... }
is correct
under the ttls {} config you can have 'md5' or 'gtc' - i dont think that 'pap' is a valid entry though as that is not an EAP type.
This is what was confusing me I would have thought I should put ttls here but I have already defined that as the default eap type, I know that pap is not a eap-type but that what we are using in the tunnel, could I put md5 here and configure ldap in the inner-tunnel file ? Thanks Colin
alan
-- ----------------------------------------------------------------------- Colin Byelong Email: C.Byelong@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT ------------------------------------------------------------------------
Hi,
This is what was confusing me I would have thought I should put ttls here but I have already defined that as the default eap type, I know that pap is not a eap-type but that what we are using in the tunnel, could I put md5 here and configure ldap in the inner-tunnel file ?
yes - you should see LDAP working fine in the inner-tunnel no matter what you put (you MAY find that putting GTC as the default method might get better performance/throughput though cant vouch for certainty!) alan
participants (2)
-
Alan Buxey -
Colin Byelong