Dear Freeradius-Team, I set up a wifi-system, authenticating via freeradius v3.0.12 and openldap. During the configuration I run into a problem, which I can’t understand. - Works: Authentication of the testuser ‘bob’ via EAP - Works: Radtest authentication of the user ‘spircher’ via ldap is also working fine. “radtest –x spircher test 127.0.0.1:1812 0 testing123” - Not working: Authentication of the user ‘spircher’ via ldap and eap Attached my debugging output. Do you have any ideas how to solve it? Thank you! Best regards Sabine Pircher
On May 18, 2017, at 1:58 PM, Pircher, Sabine <sabine.pircher@tum.de> wrote:
I set up a wifi-system, authenticating via freeradius v3.0.12 and openldap. During the configuration I run into a problem, which I can’t understand. - Works: Authentication of the testuser ‘bob’ via EAP
What did you use for a test client? eapol_test? Or a real system?
- Works: Radtest authentication of the user ‘spircher’ via ldap is also working fine. “radtest –x spircher test 127.0.0.1:1812 0 testing123”
Which doesn't test the end system. i.e. certificates, etc.
- Not working: Authentication of the user ‘spircher’ via ldap and eap Attached my debugging output.
Do you have any ideas how to solve it?
The supplicant is giving up. If you had waited a few more seconds, you would see more debug output which points you to a Wiki page. That page describes what's going on. Odds are you didn't put the CA certificate on the end user machine. See http://deployingradius.com for a "how to" guide. There are detailed and explicit instructions for what to do, along with what can go wrong, and why. Alan DeKok.
Thanks for your answers. WORKS: Storing the passwords in clear-text in the LDAP database (Standard-PosixAccount). But in general I don’t like to store any passwords in clear-text. I read this article: http://deployingradius.com/documents/protocols/compatibility.html and PAP inside EAP-TTLS looks good for me to store encrypted passwords, but I’m new to freeradius and authentication. What’s the best way ‘to do’ it? On 18.05.2017, 20:19, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+sabine.pircher=tum.de@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On May 18, 2017, at 1:58 PM, Pircher, Sabine <sabine.pircher@tum.de> wrote:
I set up a wifi-system, authenticating via freeradius v3.0.12 and openldap. During the configuration I run into a problem, which I can’t understand. - Works: Authentication of the testuser ‘bob’ via EAP
What did you use for a test client? eapol_test? Or a real system?
I use a real system.
- Works: Radtest authentication of the user ‘spircher’ via ldap is also working fine. “radtest –x spircher test 127.0.0.1:1812 0 testing123”
Which doesn't test the end system. i.e. certificates, etc.
- Not working: Authentication of the user ‘spircher’ via ldap and eap Attached my debugging output.
Do you have any ideas how to solve it?
The supplicant is giving up. If you had waited a few more seconds, you would see more debug output which points you to a Wiki page. That page describes what's going on.
Odds are you didn't put the CA certificate on the end user machine.
Certificates are installed.
See http://deployingradius.com for a "how to" guide. There are detailed and explicit instructions for what to do, along with what can go wrong, and why.
Alan DeKok.
Best regards, Sabine Pircher
On Fri, May 19, 2017 at 09:59:49AM +0000, Pircher, Sabine wrote:
WORKS: Storing the passwords in clear-text in the LDAP database (Standard-PosixAccount). But in general I don’t like to store any passwords in clear-text.
I read this article: http://deployingradius.com/documents/protocols/compatibility.html and PAP inside EAP-TTLS looks good for me to store encrypted passwords, but I’m new to freeradius and authentication.
What’s the best way ‘to do’ it?
Decide on a combination that works for your environment. Which probably means evaluating what EAP methods your client supplicants can do and then having to store passwords that are compatible. A lot of clients can't do EAP-TTLS/PAP (e.g. Windows 7). So you end up having to use PEAP/EAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2. Which means storing the passwords in NTLM hash or cleartext. And NTLM hash isn't much better than cleartext. If all your clients support EAP-TTLS/PAP then sure, store the passwords hashed in whatever method you like. Or just move to EAP-TLS and use certificates. But the overheads of that are significantly higher with cert management. -- Matthew
On 18 May 2017 18:58:41 BST, "Pircher, Sabine" <sabine.pircher@tum.de> wrote:
- Not working: Authentication of the user ‘spircher’ via ldap and eap Attached my debugging output. Do you have any ideas how to solve it?
Password from LDAP is SSHA1 format, which isn't going to be compatible with anything inside PEAP. Assuming the debug continues further, otherwise may be a certificate problem as well. -- Matthew
participants (3)
-
Alan DeKok -
Matthew Newton -
Pircher, Sabine