EAP-TTLS/PAP with OpenLDAP user store
Hi, my aim is to to have eap-ttls/pap working using an openldap user database with MD5 hashed passwords. I got it working configuring ldap parameters in /etc/raddb/modules/ldap and applying two changes in /etc/raddb/sites-available/inner-tunnel: 1) uncommented "ldap" in the authorize section 2) uncommented these lines in the authenticate section: Auth-Type LDAP { ldap } Am I doing it right? What puzzles me is the following comment in the authenticate section that seems to warn me not to do what I have done ("EAP wont'work"): # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Thanks a lot for your time and help, Stefano Here's the very long of the debug output (test done with JRadusSimulator with EAP-TTLS/PAP Authentication Protocol): rad_recv: Access-Request packet from host 192.168.100.11 port 41898, id=204, length=95 NAS-Port = 100 NAS-IP-Address = 123.123.123.123 User-Name = "anonymous@unipd.it" EAP-Message = 0x0200001701616e6f6e796d6f757340756e6970642e6974 Message-Authenticator = 0x4a6c7626f1ae57fabb14be50dbc07a24 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "unipd.it" for User-Name = "anonymous@unipd.it" [suffix] No such realm "unipd.it" ++[suffix] returns noop [eap] EAP packet type response id 0 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 204 to 192.168.100.11 port 41898 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd7901eacd78148a4b2cea7aabcc02f2 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.11 port 41898, id=205, length=162 NAS-Port = 100 NAS-IP-Address = 123.123.123.123 User-Name = "anonymous@unipd.it" State = 0xcd7901eacd78148a4b2cea7aabcc02f2 EAP-Message = 0x020100481500160301003d0100003903014f5645254671b784085849aa6dd6e3f818aa3e40e058b087ba535933b62b721a0000120039003800330032001600130035002f000a0100 Message-Authenticator = 0x19b7441b270f62ebbc9d4840c09bdb7a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "unipd.it" for User-Name = "anonymous@unipd.it" [suffix] No such realm "unipd.it" ++[suffix] returns noop [eap] EAP packet type response id 1 length 72 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 003d], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 085e], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 205 to 192.168.100.11 port 41898 EAP-Message = 0x0102040015c000000aad160301002a0200002603014f56452532ed154126bed11870476c01d7f373c20ad3d9c68ac6e05dd629561700003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3132303132343135303735395a170d3133303132333135303735395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100fa0f3e1ceaf9177f2eb634acd46fb39abe162dcc17f73b8a79fa0b159fb608379beb9cca6a68546fb4395d33c847c667a01a87f28829d7fb310080eca9f8 EAP-Message = 0x3458e66496b02ae443acf293f00ef76f4cc9e5ccfa418d10fff27cf43821b8ad462578a67e42dc0b6f3fc2014334dd79a599d45e64c626341605bf4126f773cf813ab0fb340f5b48f5210d6848fb6e054e105c8d94eb70fb7c8a886539414ede92e9c4b726fd4283b5bce1e0bfbb35531fc4b0bffd7bb4bd2867bca48145af082ee78032331f3edf63fb6ba6c0d79855250469c60ad8e38ab5b2954e29cafc5979bb3c10575a1c1d221cf47d98a4db79da5840c45a431b7025b9b807aefefd0881e10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100bc3332769e2ecff294 EAP-Message = 0x0a42a153dde30c127fc17b73cb994937130670488c983419461531cd82f99acf032930dfd2f5e1b23f0f61bb18f1c05c9a548fcfc365c1b38733b12a4229002cca44c9c3442d5f021e708806d8c5c378f01191ca86481c3f0654f7fa14b992ffd7541f68d57e5fb3116b142a5e12f6e2bf7554e0c008e6490dacfa62427787c4190b3e95abb39018767f92fa131dd729f778a6787f0ac4fcd940c0c42c9fdd6e31e0d9a93230130cad702cf7d081a0d0240a745bfa00527d6aa0846b5205f03f899fddc7b6dff5fbfbaedc29d09bd0aa602dfc4faa99ed24f320ac09069df43e36b971c3c73edb793dd8e4747963f3cc6add7def77934b0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd7901eacc7b148a4b2cea7aabcc02f2 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.11 port 41898, id=206, length=96 NAS-Port = 100 NAS-IP-Address = 123.123.123.123 User-Name = "anonymous@unipd.it" State = 0xcd7901eacc7b148a4b2cea7aabcc02f2 EAP-Message = 0x020200061500 Message-Authenticator = 0xa2c22a1a2e8fa392e6f8babe34a8a605 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "unipd.it" for User-Name = "anonymous@unipd.it" [suffix] No such realm "unipd.it" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 206 to 192.168.100.11 port 41898 EAP-Message = 0x0103040015c000000aad00e8494b90642e746f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3132303132343135303735395a170d3133303132333135303735395a308193310b3009060355040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cd77ec7086dbc07f34f7cae3b3872f281bbb836151b0dc6723bb1c027715d93053050e0f43b8c0d9105565cdad4a780737970a5a420e0d597d900d60278e7376cd4a9fa1a04dd69486098a1c9300d0705ad547341553e146513a06936d96b24314c29649e16e46283b2ab2 EAP-Message = 0xc02e488785b05212fbdb5593a67c081b5760d7c8ece614ca379a329ad870dce6ac78e1c5383ed4797aebfec23530572a5298b40a5686805317b03da9663c694b98d925e489eb6ca695cf3b0628c028c6fe88e83e37e125f005583b0f7c58936d4645b91a569b95df9aafed8d11b7b2b3165279e297a17622f96e2dc4a23415bd249fbc1ebd09103ae493d7adfb359f3fd7b03e9a390203010001a381fb3081f8301d0603551d0e04160414da070c5228c57bbee0cc49e2c4b12cf1720dabf73081c80603551d230481c03081bd8014da070c5228c57bbee0cc49e2c4b12cf1720dabf7a18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e8494b90642e746f300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100ba35653daf0e4c3b6cc689ebd67f3cbfd3f368f9827a6791587584ba9c9e19b9e4466f291e7d61ee59fcc4d255c4b1bddbf5a2b5e347e86285470bd3c6ec4e13fb8d790432bef10f0f04ae5d57db EAP-Message = 0x95aabab449a37124b01f7d23 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd7901eacf7a148a4b2cea7aabcc02f2 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.11 port 41898, id=207, length=96 NAS-Port = 100 NAS-IP-Address = 123.123.123.123 User-Name = "anonymous@unipd.it" State = 0xcd7901eacf7a148a4b2cea7aabcc02f2 EAP-Message = 0x020300061500 Message-Authenticator = 0x7de069de52a18aaf03a8a63845bb52ab +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "unipd.it" for User-Name = "anonymous@unipd.it" [suffix] No such realm "unipd.it" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 207 to 192.168.100.11 port 41898 EAP-Message = 0x010402cb158000000aad2e32d34b73b029470cf489eed7f1dc989b9157a2c04d5d03791d618440aac34bebfa42cf0c52e516af7013aaf2093662be0201215cd5cfa43f570e827fcdcd68a9c10e77250179332e1844a5533e9f06ca5ff640c1f2a12a4f0ea6e63063b1091818c094ea5412575c9a80fc69f817711017550c5fec771b9551c9e0767161fde2cf39e938c4284698c459769b117678303aa015621f3c54c249d2d52985afd1390507efec33160301020d0c0002090080f09039993098ab5b7cfc785f08528979fc0525e868a74d8283896c088865610862093c47d49077eb9916d8c87c9c6d1e77153e9a7abace55f4d0b205a74f38b4191d EAP-Message = 0x114b0910b3a08dab17b65fe08eb9f564c1328fff3a299045398adb4a08f20c0c5e071e08172b5659e60964029beaaf23158643cf635bb2283f8ede606003000102008015e952d5ccf37e61fb8ee23373c3e5bf9a953e82cfd17f82fa78aec2202e1e13dab27035c72f9fea4bd170db65cd75ba77d5a8bdc99ce16e0f1dc6add5547d23e9b70d01f98a0ec44f8e8a6d7bec73b2f97cbf350adff04760906b9dc13a7fd3df3519e7b2cc81173b913cc6a00d7f90bedff8b942a3b9f91661c78bc7c1afd00100805befbdf25cf595abcb8b6701c75654d6eddb95b7e61194a9bc38cdc385d39f528b7576d74dbcd80de5668fe61f582c659db4727e2e3704 EAP-Message = 0x2087d41ebd9420008136d668d0a9345721d00a5c6c3a0bb6600b13a1a601053d08d52ebd022540403d6a74f0822b70f0ad2b78013a222c87ef720d6a399e988cad506981fdfa51b2be0d77c7845aa9ef540533a3834c76e754e7946dc388d40a72b237acd9f7db0160ab6d14be7ac11a2495d106db5a3490298d7e7d5db912e68ea7a45be2333c3cdfffa3773fa35df4236b04d183c87cbedef9428934302510dd6543a090fbc6586647d8064a67eb40a63f0717ba10a8dbd48ef054215302f6bc220c4b315fe40d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd7901eace7d148a4b2cea7aabcc02f2 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.11 port 41898, id=208, length=310 NAS-Port = 100 NAS-IP-Address = 123.123.123.123 User-Name = "anonymous@unipd.it" State = 0xcd7901eace7d148a4b2cea7aabcc02f2 EAP-Message = 0x020400dc150016030100861000008200805fbeedad3d5af155f4c45f2410d3c02ec13fc5d3df27374d07e8c6684ec7356d99cafc892fc0e753551c1a74a425bb70161d0cd34fe326fe961ea1c9f027419bdb819329e5644b34dff39ca0c3d77ae8d8acdba6aaac53b7606985db292ea50c6f237bf90725a1ce53caf91f2428cb25d54e7e4bb7ffe6c2cd6df7c8a0d1fec814030100010116030100406e4ca038ddf976b6a0f080487c316d44684af947febc7432eba1209c637219ee06fdf4391e43753763be7d6237a01d7fd9e23854300e2d3c73e6cb79f13dfdf1 Message-Authenticator = 0x3f0e85870f20ce1a998879c107f38832 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "unipd.it" for User-Name = "anonymous@unipd.it" [suffix] No such realm "unipd.it" ++[suffix] returns noop [eap] EAP packet type response id 4 length 220 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 208 to 192.168.100.11 port 41898 EAP-Message = 0x0105004515800000003b14030100010116030100301ba0ec36ea8a4181d9b5b4d526ae533f3ea22fb31b29a8cf34824f52dfaf12589a6239eff19952d02b1d5a67ba056129 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd7901eac97c148a4b2cea7aabcc02f2 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.11 port 41898, id=209, length=96 NAS-Port = 100 NAS-IP-Address = 123.123.123.123 User-Name = "anonymous@unipd.it" State = 0xcd7901eac97c148a4b2cea7aabcc02f2 EAP-Message = 0x020500061500 Message-Authenticator = 0x5bee6ebbb1f0dfb633b2c47db5deb0af +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "unipd.it" for User-Name = "anonymous@unipd.it" [suffix] No such realm "unipd.it" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 ++[eap] returns handled Sending Access-Challenge of id 209 to 192.168.100.11 port 41898 EAP-Message = 0x0106000a158000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd7901eac87f148a4b2cea7aabcc02f2 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.11 port 41898, id=210, length=250 NAS-Port = 100 NAS-IP-Address = 123.123.123.123 User-Name = "anonymous@unipd.it" State = 0xcd7901eac87f148a4b2cea7aabcc02f2 EAP-Message = 0x020600a015001703010030545053644b5cc5c386d17396a5b1fc38c717302eb5e26f5322df1a9c323793c233cb6e4effe95ab464a808910a93a8ea17030100604de78b46dbf0dd777446d710071eee3eb6b3a8f8728ac83280a4dad02e364e7e8c70dabaa49a0b5d887bb296b060546890c98623d8642229ae757dc61eb989fb6340807fb449fdedde56c40951d7a48e2a51c995364f1e6f49c3d8bd8463cef6 Message-Authenticator = 0x60c9bcb9cdef0bee42e5b4ccec949aed +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "unipd.it" for User-Name = "anonymous@unipd.it" [suffix] No such realm "unipd.it" ++[suffix] returns noop [eap] EAP packet type response id 6 length 160 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "test.user@studenti.unipd.it" User-Password = "XXX" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "test.user@studenti.unipd.it" User-Password = "XXX" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] Looking up realm "studenti.unipd.it" for User-Name = "test.user@studenti.unipd.it" [suffix] No such realm "studenti.unipd.it" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for test.user@studenti.unipd.it [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> test.user@studenti.unipd.it [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test.user@studenti.unipd.it) [ldap] expand: dc=unipd,dc=it -> dc=unipd,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mytestingdirectory.it:389, authentication 0 rlm_ldap: bind as uid=ldapconnect.user@studenti.unipd.it,ou=students,dc=unipd,dc=it/XXX to mytestingdirectory.it:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=unipd,dc=it, with filter (uid=test.user@studenti.unipd.it) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user test.user@studenti.unipd.it authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "test.user@studenti.unipd.it" with password "XXX" [ldap] user DN: uid=test.user@studenti.unipd.it,ou=students,dc=unipd,dc=it rlm_ldap: (re)connect to mytestingdirectory.it:389, authentication 1 rlm_ldap: bind as uid=test.user@studenti.unipd.it,ou=students,dc=unipd,dc=it/XXX to mytestingdirectory.it:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user test.user@studenti.unipd.it authenticated succesfully ++[ldap] returns ok WARNING: Empty section. Using default return values. } # server inner-tunnel [ttls] Got tunneled reply code 2 [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 210 to 192.168.100.11 port 41898 MS-MPPE-Recv-Key = 0x7e3008da04efccfd6c7be689ff4b9f936c80c49e65c3ca620ebe67043037fb4e MS-MPPE-Send-Key = 0x37248e65b82a594d264cc1f03d9a1cb55addc7e916ec0c035bbe98c183bf5548 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous@unipd.it" Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 204 with timestamp +12 Cleaning up request 1 ID 205 with timestamp +12 Cleaning up request 2 ID 206 with timestamp +12 Cleaning up request 3 ID 207 with timestamp +12 Cleaning up request 4 ID 208 with timestamp +12 Cleaning up request 5 ID 209 with timestamp +12 Cleaning up request 6 ID 210 with timestamp +12 Ready to process requests.
On Wed, Mar 7, 2012 at 12:32 AM, Stefano Zanmarchi <zanmarchi@gmail.com> wrote:
Hi, my aim is to to have eap-ttls/pap working using an openldap user database with MD5 hashed passwords. I got it working configuring ldap parameters in /etc/raddb/modules/ldap and applying two changes in /etc/raddb/sites-available/inner-tunnel: 1) uncommented "ldap" in the authorize section 2) uncommented these lines in the authenticate section: Auth-Type LDAP { ldap } Am I doing it right?
The documentation advised against that. Instead, you should find out which LDAP attribute stores your MD5-password, add the correct mapping to ldap.attrmap, and leave Auth-Type section commented-out. It shouldn't affect the result though, since you don't have cleartext-password stored in LDAP.
What puzzles me is the following comment in the authenticate section that seems to warn me not to do what I have done ("EAP wont'work"): # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password.
AFAIK that section refers to EAP-PEAP-MSCHAPv2, the most commonly-used EAP type. See http://wiki.freeradius.org/Protocol%20Compatibility regardless whether you use Auth-Type or not, you still will only be able to use PAP, TTLS-PAP, or EAP-GTC as those are the ones that provide user password in clear text. -- Fajar
On Wed, Mar 7, 2012 at 1:53 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, Mar 7, 2012 at 12:32 AM, Stefano Zanmarchi <zanmarchi@gmail.com> wrote:
Hi, my aim is to to have eap-ttls/pap working using an openldap user database with MD5 hashed passwords. I got it working configuring ldap parameters in /etc/raddb/modules/ldap and applying two changes in /etc/raddb/sites-available/inner-tunnel: 1) uncommented "ldap" in the authorize section 2) uncommented these lines in the authenticate section: Auth-Type LDAP { ldap } Am I doing it right?
The documentation advised against that.
Instead, you should find out which LDAP attribute stores your MD5-password, add the correct mapping to ldap.attrmap, and leave Auth-Type section commented-out.
It shouldn't affect the result though, since you don't have cleartext-password stored in LDAP.
I should've said "It shouldn't affect the result FOR YOU, since you don't have cleartext-password stored in LDAP, and only have MD5 hash". If you have NT-hash version of the password stored instead, then the choice of forcing auth-type or not means the difference between being able to use (EAP-)MSCHAPv2 or not. -- Fajar
On Tue, Mar 6, 2012 at 8:00 PM, Fajar A. Nugraha <list@fajar.net> wrote:
Instead, you should find out which LDAP attribute stores your MD5-password, add the correct mapping to ldap.attrmap, and leave Auth-Type section commented-out.
Hi Fajar, thank you for your kind answers, l'll try that out. One thing still isn't clear to me though. Since the LDAP "userPassword" contains the hashed password, how can freeradius use ldap.attrmap to perform authentication? I thought it could only try to bind as the user. Best, Stefano
On Wed, Mar 7, 2012 at 3:09 AM, Stefano Zanmarchi <zanmarchi@gmail.com> wrote:
On Tue, Mar 6, 2012 at 8:00 PM, Fajar A. Nugraha <list@fajar.net> wrote:
Instead, you should find out which LDAP attribute stores your MD5-password, add the correct mapping to ldap.attrmap, and leave Auth-Type section commented-out.
Hi Fajar, thank you for your kind answers, l'll try that out. One thing still isn't clear to me though. Since the LDAP "userPassword" contains the hashed password, how can freeradius use ldap.attrmap to perform authentication? I thought it could only try to bind as the user.
I assume you've seen http://wiki.freeradius.org/Rlm_ldap ? Basically you need to determine: - which LDAP attribute stores the password (e.g. userPassword? something else?) - does the attribute store the password with header (e.g {md5})? - is the mapping in ldap.attrmap correct? -- Fajar
On Wed, Mar 7, 2012 at 1:58 AM, Fajar A. Nugraha <list@fajar.net> wrote:
I assume you've seen http://wiki.freeradius.org/Rlm_ldap ?
Basically you need to determine: - which LDAP attribute stores the password (e.g. userPassword? something else?) - does the attribute store the password with header (e.g {md5})? - is the mapping in ldap.attrmap correct?
Hi Fajar, I followed your advice and it is working now (without Auth-Type LDAP in the authenticate section); just one note: I needed to set auto_header to yes in the modules/pap file to have pap work with the hashed passwords stored in the directory. Thanks again!
participants (2)
-
Fajar A. Nugraha -
Stefano Zanmarchi