Good Evening, I have been working on building a new FreeRadius 3.0.16 server on Ubuntu. Our goal was to mimic our current setup, but instead of using the old server which is mashed together with some other applications that no longer function, devote one to this. I have followed the instructions on many sites on how to enable the proper modules and configure LDAP accordingly(Our LDAP is acutally ldap.google.com) and we have successfully ran a radtest authentication against the LDAP settings, and it is Accepted. Great right? Well, then we attempted to enable EAP-TTLS, nothing seemed to work properly, and we found many different ways people were doing this. While researching a solution I've already configured all of our certificates. So the last part we need to understand is the reason why we are getting "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject" I'm new to this kind of mailing list system, so please bear with me. I'm attaching the output log of our servers startup, and the connection log of my computer attempting over our wireless controller. Thank you for your time, Nathan
On Mar 7, 2019, at 9:06 AM, Nate . <nate2077developer@gmail.com> wrote:
Good Evening, I have been working on building a new FreeRadius 3.0.16 server on Ubuntu. Our goal was to mimic our current setup, but instead of using the old server which is mashed together with some other applications that no longer function, devote one to this. I have followed the instructions on many sites on how to enable the proper modules and configure LDAP accordingly
That's a problem. 99% of those sites give bad advice.
(Our LDAP is acutally ldap.google.com) and we have successfully ran a radtest authentication against the LDAP settings, and it is Accepted. Great right? Well, then we attempted to enable EAP-TTLS, nothing seemed to work properly, and we found many different ways people were doing this. While researching a solution I've already configured all of our certificates.
It's 2019. The server comes with *tons* of documentation on how to do things. The comments in the configuration files tell you what to do, and what everything means.
So the last part we need to understand is the reason why we are getting "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
I'm new to this kind of mailing list system, so please bear with me. I'm attaching the output log of our servers startup, and the connection log of my computer attempting over our wireless controller.
You edited the default configuration and broke it. Don't do that. Throw away everything you did, except maybe the certificates, and the LDAP module configuration. Start over with the default configuration. Make sure that the authentication works with "radtest". If it does, then read sites-enabled/inner-tunnel. Run radtest against the inner tunnel, following the instructions there. If radtest works for the inner tunnel, then EAP-TTLS should work. If radtest doesn't work for the inner tunnel, then post that debug output here. Alan DeKok.
Ok, duly noted. I've restored the defaults. Migrated settings for certificates, and the LDAP. Now my LDAP isn't working anymore. Where am I looking to edit first so that I can begin testing and not accidentally jump ahead of myself? I added the flat file user, as many recommend, that's working. "radtest flatuser testpass 127.0.0.1 0 testing123" When I run the test using my LDAP credentials I get "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject" It's my understanding I'm only missing the reference in sites/default > authentication for the LDAP module? I'm about to change the sites-enabled/default, if you wouldn't mind reviewing the test I've attached to make sure I'm on the right path here before I change anything. Thanks again for the assistance, On Thu, Mar 7, 2019 at 9:38 AM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 7, 2019, at 9:06 AM, Nate . <nate2077developer@gmail.com> wrote:
Good Evening, I have been working on building a new FreeRadius 3.0.16 server on Ubuntu. Our goal was to mimic our current setup, but instead of using the old server which is mashed together with some other applications that no longer function, devote one to this. I have followed the instructions on many sites on how to enable the proper modules and configure LDAP accordingly
That's a problem. 99% of those sites give bad advice.
(Our LDAP is acutally ldap.google.com) and we have successfully ran a radtest authentication against the LDAP settings, and it is Accepted. Great right? Well, then we attempted to enable EAP-TTLS, nothing seemed to work properly, and we found many different ways people were doing this. While researching a solution I've already configured all of our certificates.
It's 2019. The server comes with *tons* of documentation on how to do things. The comments in the configuration files tell you what to do, and what everything means.
So the last part we need to understand is the reason why we are getting "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
I'm new to this kind of mailing list system, so please bear with me. I'm attaching the output log of our servers startup, and the connection log of my computer attempting over our wireless controller.
You edited the default configuration and broke it. Don't do that.
Throw away everything you did, except maybe the certificates, and the LDAP module configuration. Start over with the default configuration.
Make sure that the authentication works with "radtest". If it does, then read sites-enabled/inner-tunnel. Run radtest against the inner tunnel, following the instructions there.
If radtest works for the inner tunnel, then EAP-TTLS should work.
If radtest doesn't work for the inner tunnel, then post that debug output here.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer@gmail.com> wrote:
Ok, duly noted. I've restored the defaults. Migrated settings for certificates, and the LDAP. Now my LDAP isn't working anymore. Where am I looking to edit first so that I can begin testing and not accidentally jump ahead of myself? I added the flat file user, as many recommend, that's working. "radtest flatuser testpass 127.0.0.1 0 testing123" When I run the test using my LDAP credentials I get "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
See mods-available/ldap. It has documentation on how to fix this. Look for "Auth-Type". You will also need to uncomment the "Auth-Type LDAP" block sites-enabled/default, in the "authenticate" section. Alan DeKok.
Sorry for the delay. I've updated the files, LDAP is working now, I'm sorry I didn't catch that part in the configuration, I feel slightly overwhelmed. Good news though, LDAP is working using "radtest -t pap" and without the "-t pap". I've gone ahead and tested via the Wireless controller now, and I am seeing.. (9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password and (9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (9) mschap: ERROR: MS-CHAP2-Response is incorrect Now, I know there's a way to map attributes using the LDAP modules 'update' section, but I have no idea how this works and I also do not know what googles structure is. So if this is the route I have to take, I'll have to do a bit of research on that then. I feel like that's what the problem is here, but at the same time, Authentication via radtest was successful, so I am having doubts. I've attached a full log of me connecting via WIFI for convenience. On Fri, Mar 8, 2019 at 12:05 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer@gmail.com> wrote:
Ok, duly noted. I've restored the defaults. Migrated settings for certificates, and the LDAP. Now my LDAP isn't working anymore. Where am I looking to edit first so that I can begin testing and not accidentally
jump
ahead of myself? I added the flat file user, as many recommend, that's working. "radtest flatuser testpass 127.0.0.1 0 testing123" When I run the test using my LDAP credentials I get "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
See mods-available/ldap. It has documentation on how to fix this. Look for "Auth-Type".
You will also need to uncomment the "Auth-Type LDAP" block sites-enabled/default, in the "authenticate" section.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I realized my stupidity here. Using PAP, but for some reason only my phone will use PAP, our desktops are not giving me any choice. I found this: https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-se... I had originally followed that in my very first round of trying all of this, but it never got it working. I've also tested connecting using the flat user credentials, it worked! I attached that result too, just in case. On Fri, Mar 8, 2019 at 1:02 PM Nate . <nate2077developer@gmail.com> wrote:
Sorry for the delay. I've updated the files, LDAP is working now, I'm sorry I didn't catch that part in the configuration, I feel slightly overwhelmed. Good news though, LDAP is working using "radtest -t pap" and without the "-t pap". I've gone ahead and tested via the Wireless controller now, and I am seeing.. (9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password and (9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (9) mschap: ERROR: MS-CHAP2-Response is incorrect
Now, I know there's a way to map attributes using the LDAP modules 'update' section, but I have no idea how this works and I also do not know what googles structure is. So if this is the route I have to take, I'll have to do a bit of research on that then. I feel like that's what the problem is here, but at the same time, Authentication via radtest was successful, so I am having doubts.
I've attached a full log of me connecting via WIFI for convenience.
On Fri, Mar 8, 2019 at 12:05 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer@gmail.com> wrote:
Ok, duly noted. I've restored the defaults. Migrated settings for certificates, and the LDAP. Now my LDAP isn't working anymore. Where am
I
looking to edit first so that I can begin testing and not accidentally jump ahead of myself? I added the flat file user, as many recommend, that's working. "radtest flatuser testpass 127.0.0.1 0 testing123" When I run the test using my LDAP credentials I get "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
See mods-available/ldap. It has documentation on how to fix this. Look for "Auth-Type".
You will also need to uncomment the "Auth-Type LDAP" block sites-enabled/default, in the "authenticate" section.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have been dealing a few things, so this got delayed, apologies. I am still unclear on why I am unable to connect via the EAPTTLS-PAP. I have reviewed the log many times and I don't really understand it. I noticed a part of the authentication where it tries the LDAP, binds, and then theres a part where it says "if ((ok || updated) && User-Password) -> FALSE" where it is true on the radtest. I'm felt certain it's the User-Password missing or something, but I don't understand why it would be missing. I noticed the "(0) User-Password = " does not appear at the top of the connection log like the radtest either. Though, on the "Flat file user credentials" from my previous email, you can see it is also not listed at the top, so maybe it's not that. Thank you for your time, Nate On Fri, Mar 8, 2019 at 3:59 PM Nate . <nate2077developer@gmail.com> wrote:
I realized my stupidity here. Using PAP, but for some reason only my phone will use PAP, our desktops are not giving me any choice. I found this:
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-se... I had originally followed that in my very first round of trying all of this, but it never got it working.
I've also tested connecting using the flat user credentials, it worked! I attached that result too, just in case.
On Fri, Mar 8, 2019 at 1:02 PM Nate . <nate2077developer@gmail.com> wrote:
Sorry for the delay. I've updated the files, LDAP is working now, I'm sorry I didn't catch that part in the configuration, I feel slightly overwhelmed. Good news though, LDAP is working using "radtest -t pap" and without the "-t pap". I've gone ahead and tested via the Wireless controller now, and I am seeing.. (9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password and (9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (9) mschap: ERROR: MS-CHAP2-Response is incorrect
Now, I know there's a way to map attributes using the LDAP modules 'update' section, but I have no idea how this works and I also do not know what googles structure is. So if this is the route I have to take, I'll have to do a bit of research on that then. I feel like that's what the problem is here, but at the same time, Authentication via radtest was successful, so I am having doubts.
I've attached a full log of me connecting via WIFI for convenience.
On Fri, Mar 8, 2019 at 12:05 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer@gmail.com> wrote:
Ok, duly noted. I've restored the defaults. Migrated settings for certificates, and the LDAP. Now my LDAP isn't working anymore. Where
am I
looking to edit first so that I can begin testing and not accidentally jump ahead of myself? I added the flat file user, as many recommend, that's working. "radtest flatuser testpass 127.0.0.1 0 testing123" When I run the test using my LDAP credentials I get "ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
See mods-available/ldap. It has documentation on how to fix this. Look for "Auth-Type".
You will also need to uncomment the "Auth-Type LDAP" block sites-enabled/default, in the "authenticate" section.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
debug? have you actually tried EAP-TTLS/PAP - because the previous emails noted that you were doing MSCHAPv2 - thats EAP-TTLS/MSCHAPv2 - challenge response...and LDAP is not an authentication system..its just a lookup database. alan On Thu, 21 Mar 2019 at 14:58, Nate . <nate2077developer@gmail.com> wrote: > > I have been dealing a few things, so this got delayed, apologies. I am > still unclear on why I am unable to connect via the EAPTTLS-PAP. I have > reviewed the log many times and I don't really understand it. I noticed a > part of the authentication where it tries the LDAP, binds, and then theres > a part where it says "if ((ok || updated) && User-Password) -> FALSE" > where it is true on the radtest. I'm felt certain it's the User-Password > missing or something, but I don't understand why it would be missing. I > noticed the "(0) User-Password = " does not appear at the top of the > connection log like the radtest either. Though, on the "Flat file user > credentials" from my previous email, you can see it is also not listed at > the top, so maybe it's not that. > > Thank you for your time, > Nate > > On Fri, Mar 8, 2019 at 3:59 PM Nate . <nate2077developer@gmail.com> wrote: > > > I realized my stupidity here. Using PAP, but for some reason only my phone > > will use PAP, our desktops are not giving me any choice. I found this: > > > > https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-server_sites-available-default > > I had originally followed that in my very first round of trying all of > > this, but it never got it working. > > > > I've also tested connecting using the flat user credentials, it worked! I > > attached that result too, just in case. > > > > > > On Fri, Mar 8, 2019 at 1:02 PM Nate . <nate2077developer@gmail.com> wrote: > > > >> Sorry for the delay. I've updated the files, LDAP is working now, I'm > >> sorry I didn't catch that part in the configuration, I feel slightly > >> overwhelmed. Good news though, LDAP is working using "radtest -t pap" and > >> without the "-t pap". > >> I've gone ahead and tested via the Wireless controller now, and I am > >> seeing.. > >> (9) mschap: WARNING: No Cleartext-Password configured. Cannot create > >> NT-Password > >> (9) mschap: WARNING: No Cleartext-Password configured. Cannot create > >> LM-Password > >> and > >> (9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform > >> authentication > >> (9) mschap: ERROR: MS-CHAP2-Response is incorrect > >> > >> Now, I know there's a way to map attributes using the LDAP modules > >> 'update' section, but I have no idea how this works and I also do not know > >> what googles structure is. So if this is the route I have to take, I'll > >> have to do a bit of research on that then. I feel like that's what the > >> problem is here, but at the same time, Authentication via radtest was > >> successful, so I am having doubts. > >> > >> I've attached a full log of me connecting via WIFI for convenience. > >> > >> On Fri, Mar 8, 2019 at 12:05 PM Alan DeKok <aland@deployingradius.com> > >> wrote: > >> > >>> On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer@gmail.com> wrote: > >>> > > >>> > Ok, duly noted. I've restored the defaults. Migrated settings for > >>> > certificates, and the LDAP. Now my LDAP isn't working anymore. Where > >>> am I > >>> > looking to edit first so that I can begin testing and not accidentally > >>> jump > >>> > ahead of myself? > >>> > I added the flat file user, as many recommend, that's working. "radtest > >>> > flatuser testpass 127.0.0.1 0 testing123" > >>> > When I run the test using my LDAP credentials I get "ERROR: No > >>> Auth-Type > >>> > found: rejecting the user via Post-Auth-Type = Reject" > >>> > >>> See mods-available/ldap. It has documentation on how to fix this. > >>> Look for "Auth-Type". > >>> > >>> You will also need to uncomment the "Auth-Type LDAP" block > >>> sites-enabled/default, in the "authenticate" section. > >>> > >>> Alan DeKok. > >>> > >>> > >>> - > >>> List info/subscribe/unsubscribe? See > >>> http://www.freeradius.org/list/users.html > >> > >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer@gmail.com> wrote:
I have been dealing a few things, so this got delayed, apologies. I am still unclear on why I am unable to connect via the EAPTTLS-PAP. I have reviewed the log many times and I don't really understand it.
Then post it here as suggested in the "man" pages, web pages, and in the email you get when you join the list. How do you expect us to help you when you give us zero information?
I noticed a part of the authentication where it tries the LDAP, binds, and then theres a part where it says "if ((ok || updated) && User-Password) -> FALSE" where it is true on the radtest.
English descriptions are bad. Post the debug output. It will be much, much, faster to solve the problem.
I'm felt certain it's the User-Password missing or something, but I don't understand why it would be missing. I noticed the "(0) User-Password = " does not appear at the top of the connection log like the radtest either. Though, on the "Flat file user credentials" from my previous email, you can see it is also not listed at the top, so maybe it's not that.
<sigh> Vague descriptions of problems are an utter waste of everyones time. Post the debug log. Read the documentation. I've been saying this for 20 years, and it is getting tiring. Alan DeKok.
I thought I had attached them, I'm sorry... I'm running through the test again, and this time I'll make it super clearer which tests are which too. Please don't yell at me, I'm doing my best and it's an extremely stressful time for me. And please understand, I appreciate your help with everything. I've double checked. I have attached the startup part of the logs, and separated the two tests. The freeradius_radtest is using the following command: freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0 testing123 Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812 length 76 User-Name = "ldap_user" User-Password = "ldap_pass" NAS-IP-Address = 192.168.16.111 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "ldap_pass" Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 So I can see here that the LDAP Module is functioning properly. On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer@gmail.com> wrote:
I have been dealing a few things, so this got delayed, apologies. I am still unclear on why I am unable to connect via the EAPTTLS-PAP. I have reviewed the log many times and I don't really understand it.
Then post it here as suggested in the "man" pages, web pages, and in the email you get when you join the list.
How do you expect us to help you when you give us zero information?
I noticed a part of the authentication where it tries the LDAP, binds, and then theres a part where it says "if ((ok || updated) && User-Password) -> FALSE" where it is true on the radtest.
English descriptions are bad. Post the debug output. It will be much, much, faster to solve the problem.
I'm felt certain it's the User-Password missing or something, but I don't understand why it would be missing. I noticed the "(0) User-Password = " does not appear at the top of the connection log like the radtest either. Though, on the "Flat file user credentials" from my previous email, you can see it is also not listed at the top, so maybe it's not that.
<sigh> Vague descriptions of problems are an utter waste of everyones time.
Post the debug log. Read the documentation. I've been saying this for 20 years, and it is getting tiring.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, 2019-03-22 at 14:12 -0400, Nate . wrote:
I thought I had attached them, I'm sorry... I'm running through the test again, and this time I'll make it super clearer which tests are which too.
You've got this in your "default" outer server (which is good for plain PAP): (0) if ((ok || updated) && User-Password) { (0) if ((ok || updated) && User-Password) -> TRUE (0) if ((ok || updated) && User-Password) { (0) update { (0) control:Auth-Type := LDAP (0) } # update = noop (0) } # if ((ok || updated) && User-Password) = noop but not in the inner-tunnel virtual server (for EAP/TTLS-PAP). You need to do that again inside the inner tunnel. -- Matthew
hi, okay - so you arent looking the password up with LDAP (hence the no known password thing) but you are binding to the LDAP to check credentials are okay. fine. so, assuming that the user and password are the same, once thing that looks possible is that you dont have the Auth-Type of LDAP enabled in your inner-tunnel virtual server (thats the bit that deals with the EAP side of the process with your setup) - you have a call to ldap enabled in the Authenticate part....but not the other half...the Authorization. your LDAP config is sane - as it works with the radtest method.... so that should be it. alan On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer@gmail.com> wrote: > > I thought I had attached them, I'm sorry... I'm running through the test > again, and this time I'll make it super clearer which tests are which too. > > Please don't yell at me, I'm doing my best and it's an extremely stressful > time for me. And please understand, I appreciate your help with everything. > I've double checked. I have attached the startup part of the logs, and > separated the two tests. The freeradius_radtest is using the following > command: > > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0 testing123 > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812 length 76 > User-Name = "ldap_user" > User-Password = "ldap_pass" > NAS-IP-Address = 192.168.16.111 > NAS-Port = 0 > Message-Authenticator = 0x00 > Cleartext-Password = "ldap_pass" > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 > > So I can see here that the LDAP Module is functioning properly. > > > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <aland@deployingradius.com> > wrote: > > > On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer@gmail.com> wrote: > > > > > > I have been dealing a few things, so this got delayed, apologies. I am > > > still unclear on why I am unable to connect via the EAPTTLS-PAP. I have > > > reviewed the log many times and I don't really understand it. > > > > Then post it here as suggested in the "man" pages, web pages, and in the > > email you get when you join the list. > > > > How do you expect us to help you when you give us zero information? > > > > > I noticed a > > > part of the authentication where it tries the LDAP, binds, and then > > theres > > > a part where it says "if ((ok || updated) && User-Password) -> FALSE" > > > where it is true on the radtest. > > > > English descriptions are bad. Post the debug output. It will be much, > > much, faster to solve the problem. > > > > > I'm felt certain it's the User-Password > > > missing or something, but I don't understand why it would be missing. I > > > noticed the "(0) User-Password = " does not appear at the top of the > > > connection log like the radtest either. Though, on the "Flat file user > > > credentials" from my previous email, you can see it is also not listed at > > > the top, so maybe it's not that. > > > > <sigh> Vague descriptions of problems are an utter waste of everyones > > time. > > > > Post the debug log. Read the documentation. I've been saying this for > > 20 years, and it is getting tiring. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan, I'm not quite following you. So you are saying everything should be
working or are you re-iterating what Matthew said?
Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the new
log, I should be adding the update control?
server inner-tunnel {
authenticate {
Auth-Type LDAP {
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
}
}
}
Somewhere I remember being instructed that I was supposed to comment out
the following in that section...
# Auth-Type LDAP {
# ldap
# }
On Fri, Mar 22, 2019 at 2:33 PM Alan Buxey <alan.buxey@gmail.com> wrote:
> hi,
>
> okay - so you arent looking the password up with LDAP (hence the no
> known password thing) but you are binding to the LDAP
> to check credentials are okay. fine.
>
> so, assuming that the user and password are the same, once thing that
> looks possible is that you dont have the Auth-Type of LDAP
> enabled in your inner-tunnel virtual server (thats the bit that deals
> with the EAP side of the process with your setup) - you have a
> call to ldap enabled in the Authenticate part....but not the other
> half...the Authorization. your LDAP config is sane - as it works with
> the radtest method.... so that should be it.
>
> alan
>
> On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer@gmail.com> wrote:
> >
> > I thought I had attached them, I'm sorry... I'm running through the test
> > again, and this time I'll make it super clearer which tests are which
> too.
> >
> > Please don't yell at me, I'm doing my best and it's an extremely
> stressful
> > time for me. And please understand, I appreciate your help with
> everything.
> > I've double checked. I have attached the startup part of the logs, and
> > separated the two tests. The freeradius_radtest is using the following
> > command:
> >
> > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0 testing123
> > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812 length 76
> > User-Name = "ldap_user"
> > User-Password = "ldap_pass"
> > NAS-IP-Address = 192.168.16.111
> > NAS-Port = 0
> > Message-Authenticator = 0x00
> > Cleartext-Password = "ldap_pass"
> > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
> >
> > So I can see here that the LDAP Module is functioning properly.
> >
> >
> > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <aland@deployingradius.com>
> > wrote:
> >
> > > On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer@gmail.com>
> wrote:
> > > >
> > > > I have been dealing a few things, so this got delayed, apologies. I
> am
> > > > still unclear on why I am unable to connect via the EAPTTLS-PAP. I
> have
> > > > reviewed the log many times and I don't really understand it.
> > >
> > > Then post it here as suggested in the "man" pages, web pages, and in
> the
> > > email you get when you join the list.
> > >
> > > How do you expect us to help you when you give us zero information?
> > >
> > > > I noticed a
> > > > part of the authentication where it tries the LDAP, binds, and then
> > > theres
> > > > a part where it says "if ((ok || updated) && User-Password) ->
> FALSE"
> > > > where it is true on the radtest.
> > >
> > > English descriptions are bad. Post the debug output. It will be
> much,
> > > much, faster to solve the problem.
> > >
> > > > I'm felt certain it's the User-Password
> > > > missing or something, but I don't understand why it would be
> missing. I
> > > > noticed the "(0) User-Password = " does not appear at the top of
> the
> > > > connection log like the radtest either. Though, on the "Flat file
> user
> > > > credentials" from my previous email, you can see it is also not
> listed at
> > > > the top, so maybe it's not that.
> > >
> > > <sigh> Vague descriptions of problems are an utter waste of
> everyones
> > > time.
> > >
> > > Post the debug log. Read the documentation. I've been saying this
> for
> > > 20 years, and it is getting tiring.
> > >
> > > Alan DeKok.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
On Mar 22, 2019, at 3:33 PM, Nate . <nate2077developer@gmail.com> wrote:
Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the new log, I should be adding the update control? server inner-tunnel { authenticate { Auth-Type LDAP { if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap
i.e. "in the Auth-Type ldap block, tell the server to use the Auth-Type ldap block" That doesn't make sense. You're making random changes without really understanding what's going on. Don't do that. Run "radtest" on the *inner-tunnel* virtual server. The instructions for this are at the top of the "inner-tunnel" virtual server. Don't do anything with EAP until radtest works. Go back to the default configuration for the "inner-tunnel" virtual server. It works. Then, you want to *check passwords against LDAP*. This means reading the "inner-tunnel" virtual server, and looking for "ldap". Then, reading the comments there. In short, what you want to do is: 1) uncomment the "Auth-Type ldap" section in the "authenticate" section. This allows the server to check passwords against LDAP. 2) tell the server to use the above block for checking User-Password. This means editing the "authorize" section. The last entry in the "authorize" section is "pap". Add some text before it: authorize { ... if (User-Password) { update control { Auth-Type := LDAP } } pap } Test it with "radtest" on the *inner tunnel only*. If that works, then TTLS + PAP should work. Alan DeKok.
hi,
>Alan, I'm not quite following you. So you are saying everything should be
>working or are you re-iterating what Matthew said?
no. its not working - as you know - and yes, you need to follow my
advice and Matthews.
look at your default server - the ldap parts in authenticate and
authorize section. they work for
non EAP (the radtest) - so make similar config in the inner-tunnel
(which is whats used for EAP)
Auth-Type only belongs in certain places...you cannot just stick it around.
as Alan says, there is a way to directly test the inner-tunnel policy
directly without
involving EAP (for some types of things and configs) - use its local
listener....the high port
configured/available to it (18120 or such)
alan
On Fri, 22 Mar 2019 at 19:35, Nate . <nate2077developer@gmail.com> wrote:
>
> Alan, I'm not quite following you. So you are saying everything should be
> working or are you re-iterating what Matthew said?
>
> Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the new
> log, I should be adding the update control?
> server inner-tunnel {
> authenticate {
> Auth-Type LDAP {
> if ((ok || updated) && User-Password) {
> update {
> control:Auth-Type := ldap
> }
> }
> }
> }
> }
>
> Somewhere I remember being instructed that I was supposed to comment out
> the following in that section...
> # Auth-Type LDAP {
> # ldap
> # }
>
>
>
> On Fri, Mar 22, 2019 at 2:33 PM Alan Buxey <alan.buxey@gmail.com> wrote:
>
> > hi,
> >
> > okay - so you arent looking the password up with LDAP (hence the no
> > known password thing) but you are binding to the LDAP
> > to check credentials are okay. fine.
> >
> > so, assuming that the user and password are the same, once thing that
> > looks possible is that you dont have the Auth-Type of LDAP
> > enabled in your inner-tunnel virtual server (thats the bit that deals
> > with the EAP side of the process with your setup) - you have a
> > call to ldap enabled in the Authenticate part....but not the other
> > half...the Authorization. your LDAP config is sane - as it works with
> > the radtest method.... so that should be it.
> >
> > alan
> >
> > On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer@gmail.com> wrote:
> > >
> > > I thought I had attached them, I'm sorry... I'm running through the test
> > > again, and this time I'll make it super clearer which tests are which
> > too.
> > >
> > > Please don't yell at me, I'm doing my best and it's an extremely
> > stressful
> > > time for me. And please understand, I appreciate your help with
> > everything.
> > > I've double checked. I have attached the startup part of the logs, and
> > > separated the two tests. The freeradius_radtest is using the following
> > > command:
> > >
> > > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0 testing123
> > > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812 length 76
> > > User-Name = "ldap_user"
> > > User-Password = "ldap_pass"
> > > NAS-IP-Address = 192.168.16.111
> > > NAS-Port = 0
> > > Message-Authenticator = 0x00
> > > Cleartext-Password = "ldap_pass"
> > > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
> > >
> > > So I can see here that the LDAP Module is functioning properly.
> > >
> > >
> > > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <aland@deployingradius.com>
> > > wrote:
> > >
> > > > On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer@gmail.com>
> > wrote:
> > > > >
> > > > > I have been dealing a few things, so this got delayed, apologies. I
> > am
> > > > > still unclear on why I am unable to connect via the EAPTTLS-PAP. I
> > have
> > > > > reviewed the log many times and I don't really understand it.
> > > >
> > > > Then post it here as suggested in the "man" pages, web pages, and in
> > the
> > > > email you get when you join the list.
> > > >
> > > > How do you expect us to help you when you give us zero information?
> > > >
> > > > > I noticed a
> > > > > part of the authentication where it tries the LDAP, binds, and then
> > > > theres
> > > > > a part where it says "if ((ok || updated) && User-Password) ->
> > FALSE"
> > > > > where it is true on the radtest.
> > > >
> > > > English descriptions are bad. Post the debug output. It will be
> > much,
> > > > much, faster to solve the problem.
> > > >
> > > > > I'm felt certain it's the User-Password
> > > > > missing or something, but I don't understand why it would be
> > missing. I
> > > > > noticed the "(0) User-Password = " does not appear at the top of
> > the
> > > > > connection log like the radtest either. Though, on the "Flat file
> > user
> > > > > credentials" from my previous email, you can see it is also not
> > listed at
> > > > > the top, so maybe it's not that.
> > > >
> > > > <sigh> Vague descriptions of problems are an utter waste of
> > everyones
> > > > time.
> > > >
> > > > Post the debug log. Read the documentation. I've been saying this
> > for
> > > > 20 years, and it is getting tiring.
> > > >
> > > > Alan DeKok.
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think I understand it better now, I've made those changes, and connecting
an android phone with the required security preferences is working! Now I'm
struggling to get an Apple desktop to let me choose what protocols to use,
so I'm working on figuring out why that is now. I've already been contacted
one on one by 8 other people asking for this exact same setup,
mac/windows/android environment, with Freeradius using LDAP to authenticate
via Googles Applet.
I'll update you on what I find.
Thank you for the help,
On Fri, Mar 22, 2019 at 4:57 PM Alan Buxey <alan.buxey@gmail.com> wrote:
> hi,
>
> >Alan, I'm not quite following you. So you are saying everything should be
> >working or are you re-iterating what Matthew said?
>
> no. its not working - as you know - and yes, you need to follow my
> advice and Matthews.
>
> look at your default server - the ldap parts in authenticate and
> authorize section. they work for
> non EAP (the radtest) - so make similar config in the inner-tunnel
> (which is whats used for EAP)
>
> Auth-Type only belongs in certain places...you cannot just stick it around.
>
> as Alan says, there is a way to directly test the inner-tunnel policy
> directly without
> involving EAP (for some types of things and configs) - use its local
> listener....the high port
> configured/available to it (18120 or such)
>
> alan
>
> On Fri, 22 Mar 2019 at 19:35, Nate . <nate2077developer@gmail.com> wrote:
> >
> > Alan, I'm not quite following you. So you are saying everything should be
> > working or are you re-iterating what Matthew said?
> >
> > Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the
> new
> > log, I should be adding the update control?
> > server inner-tunnel {
> > authenticate {
> > Auth-Type LDAP {
> > if ((ok || updated) && User-Password) {
> > update {
> > control:Auth-Type := ldap
> > }
> > }
> > }
> > }
> > }
> >
> > Somewhere I remember being instructed that I was supposed to comment out
> > the following in that section...
> > # Auth-Type LDAP {
> > # ldap
> > # }
> >
> >
> >
> > On Fri, Mar 22, 2019 at 2:33 PM Alan Buxey <alan.buxey@gmail.com> wrote:
> >
> > > hi,
> > >
> > > okay - so you arent looking the password up with LDAP (hence the no
> > > known password thing) but you are binding to the LDAP
> > > to check credentials are okay. fine.
> > >
> > > so, assuming that the user and password are the same, once thing that
> > > looks possible is that you dont have the Auth-Type of LDAP
> > > enabled in your inner-tunnel virtual server (thats the bit that deals
> > > with the EAP side of the process with your setup) - you have a
> > > call to ldap enabled in the Authenticate part....but not the other
> > > half...the Authorization. your LDAP config is sane - as it works with
> > > the radtest method.... so that should be it.
> > >
> > > alan
> > >
> > > On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer@gmail.com>
> wrote:
> > > >
> > > > I thought I had attached them, I'm sorry... I'm running through the
> test
> > > > again, and this time I'll make it super clearer which tests are which
> > > too.
> > > >
> > > > Please don't yell at me, I'm doing my best and it's an extremely
> > > stressful
> > > > time for me. And please understand, I appreciate your help with
> > > everything.
> > > > I've double checked. I have attached the startup part of the logs,
> and
> > > > separated the two tests. The freeradius_radtest is using the
> following
> > > > command:
> > > >
> > > > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0
> testing123
> > > > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812
> length 76
> > > > User-Name = "ldap_user"
> > > > User-Password = "ldap_pass"
> > > > NAS-IP-Address = 192.168.16.111
> > > > NAS-Port = 0
> > > > Message-Authenticator = 0x00
> > > > Cleartext-Password = "ldap_pass"
> > > > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0
> length 20
> > > >
> > > > So I can see here that the LDAP Module is functioning properly.
> > > >
> > > >
> > > > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <
> aland@deployingradius.com>
> > > > wrote:
> > > >
> > > > > On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer@gmail.com>
> > > wrote:
> > > > > >
> > > > > > I have been dealing a few things, so this got delayed,
> apologies. I
> > > am
> > > > > > still unclear on why I am unable to connect via the EAPTTLS-PAP.
> I
> > > have
> > > > > > reviewed the log many times and I don't really understand it.
> > > > >
> > > > > Then post it here as suggested in the "man" pages, web pages,
> and in
> > > the
> > > > > email you get when you join the list.
> > > > >
> > > > > How do you expect us to help you when you give us zero
> information?
> > > > >
> > > > > > I noticed a
> > > > > > part of the authentication where it tries the LDAP, binds, and
> then
> > > > > theres
> > > > > > a part where it says "if ((ok || updated) && User-Password) ->
> > > FALSE"
> > > > > > where it is true on the radtest.
> > > > >
> > > > > English descriptions are bad. Post the debug output. It will be
> > > much,
> > > > > much, faster to solve the problem.
> > > > >
> > > > > > I'm felt certain it's the User-Password
> > > > > > missing or something, but I don't understand why it would be
> > > missing. I
> > > > > > noticed the "(0) User-Password = " does not appear at the top
> of
> > > the
> > > > > > connection log like the radtest either. Though, on the "Flat file
> > > user
> > > > > > credentials" from my previous email, you can see it is also not
> > > listed at
> > > > > > the top, so maybe it's not that.
> > > > >
> > > > > <sigh> Vague descriptions of problems are an utter waste of
> > > everyones
> > > > > time.
> > > > >
> > > > > Post the debug log. Read the documentation. I've been saying
> this
> > > for
> > > > > 20 years, and it is getting tiring.
> > > > >
> > > > > Alan DeKok.
> > > > >
> > > > >
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > > http://www.freeradius.org/list/users.html
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Nate, this may or may not help in your case, but we're using TTLS-PAP where
I work for WPA-Enterprise authentication and have successfully configured
various devices (Windows, Linux, macOS, iOS) using the installers generated
on the following site: https://enterprise-wifi.net/. Since you mentioned
issues getting Apple desktops to do TTLS-PAP I thought this might help.
-Martin
On Tue, Mar 26, 2019 at 9:12 AM Nate . <nate2077developer@gmail.com> wrote:
> I think I understand it better now, I've made those changes, and connecting
> an android phone with the required security preferences is working! Now I'm
> struggling to get an Apple desktop to let me choose what protocols to use,
> so I'm working on figuring out why that is now. I've already been contacted
> one on one by 8 other people asking for this exact same setup,
> mac/windows/android environment, with Freeradius using LDAP to authenticate
> via Googles Applet.
>
> I'll update you on what I find.
>
> Thank you for the help,
>
>
> On Fri, Mar 22, 2019 at 4:57 PM Alan Buxey <alan.buxey@gmail.com> wrote:
>
> > hi,
> >
> > >Alan, I'm not quite following you. So you are saying everything should
> be
> > >working or are you re-iterating what Matthew said?
> >
> > no. its not working - as you know - and yes, you need to follow my
> > advice and Matthews.
> >
> > look at your default server - the ldap parts in authenticate and
> > authorize section. they work for
> > non EAP (the radtest) - so make similar config in the inner-tunnel
> > (which is whats used for EAP)
> >
> > Auth-Type only belongs in certain places...you cannot just stick it
> around.
> >
> > as Alan says, there is a way to directly test the inner-tunnel policy
> > directly without
> > involving EAP (for some types of things and configs) - use its local
> > listener....the high port
> > configured/available to it (18120 or such)
> >
> > alan
> >
> > On Fri, 22 Mar 2019 at 19:35, Nate . <nate2077developer@gmail.com>
> wrote:
> > >
> > > Alan, I'm not quite following you. So you are saying everything should
> be
> > > working or are you re-iterating what Matthew said?
> > >
> > > Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the
> > new
> > > log, I should be adding the update control?
> > > server inner-tunnel {
> > > authenticate {
> > > Auth-Type LDAP {
> > > if ((ok || updated) && User-Password) {
> > > update {
> > > control:Auth-Type := ldap
> > > }
> > > }
> > > }
> > > }
> > > }
> > >
> > > Somewhere I remember being instructed that I was supposed to comment
> out
> > > the following in that section...
> > > # Auth-Type LDAP {
> > > # ldap
> > > # }
> > >
> > >
> > >
> > > On Fri, Mar 22, 2019 at 2:33 PM Alan Buxey <alan.buxey@gmail.com>
> wrote:
> > >
> > > > hi,
> > > >
> > > > okay - so you arent looking the password up with LDAP (hence the no
> > > > known password thing) but you are binding to the LDAP
> > > > to check credentials are okay. fine.
> > > >
> > > > so, assuming that the user and password are the same, once thing that
> > > > looks possible is that you dont have the Auth-Type of LDAP
> > > > enabled in your inner-tunnel virtual server (thats the bit that deals
> > > > with the EAP side of the process with your setup) - you have a
> > > > call to ldap enabled in the Authenticate part....but not the other
> > > > half...the Authorization. your LDAP config is sane - as it works
> with
> > > > the radtest method.... so that should be it.
> > > >
> > > > alan
> > > >
> > > > On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer@gmail.com>
> > wrote:
> > > > >
> > > > > I thought I had attached them, I'm sorry... I'm running through the
> > test
> > > > > again, and this time I'll make it super clearer which tests are
> which
> > > > too.
> > > > >
> > > > > Please don't yell at me, I'm doing my best and it's an extremely
> > > > stressful
> > > > > time for me. And please understand, I appreciate your help with
> > > > everything.
> > > > > I've double checked. I have attached the startup part of the logs,
> > and
> > > > > separated the two tests. The freeradius_radtest is using the
> > following
> > > > > command:
> > > > >
> > > > > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0
> > testing123
> > > > > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812
> > length 76
> > > > > User-Name = "ldap_user"
> > > > > User-Password = "ldap_pass"
> > > > > NAS-IP-Address = 192.168.16.111
> > > > > NAS-Port = 0
> > > > > Message-Authenticator = 0x00
> > > > > Cleartext-Password = "ldap_pass"
> > > > > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0
> > length 20
> > > > >
> > > > > So I can see here that the LDAP Module is functioning properly.
> > > > >
> > > > >
> > > > > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <
> > aland@deployingradius.com>
> > > > > wrote:
> > > > >
> > > > > > On Mar 21, 2019, at 10:57 AM, Nate . <
> nate2077developer@gmail.com>
> > > > wrote:
> > > > > > >
> > > > > > > I have been dealing a few things, so this got delayed,
> > apologies. I
> > > > am
> > > > > > > still unclear on why I am unable to connect via the
> EAPTTLS-PAP.
> > I
> > > > have
> > > > > > > reviewed the log many times and I don't really understand it.
> > > > > >
> > > > > > Then post it here as suggested in the "man" pages, web pages,
> > and in
> > > > the
> > > > > > email you get when you join the list.
> > > > > >
> > > > > > How do you expect us to help you when you give us zero
> > information?
> > > > > >
> > > > > > > I noticed a
> > > > > > > part of the authentication where it tries the LDAP, binds, and
> > then
> > > > > > theres
> > > > > > > a part where it says "if ((ok || updated) && User-Password) ->
> > > > FALSE"
> > > > > > > where it is true on the radtest.
> > > > > >
> > > > > > English descriptions are bad. Post the debug output. It will
> be
> > > > much,
> > > > > > much, faster to solve the problem.
> > > > > >
> > > > > > > I'm felt certain it's the User-Password
> > > > > > > missing or something, but I don't understand why it would be
> > > > missing. I
> > > > > > > noticed the "(0) User-Password = " does not appear at the top
> > of
> > > > the
> > > > > > > connection log like the radtest either. Though, on the "Flat
> file
> > > > user
> > > > > > > credentials" from my previous email, you can see it is also not
> > > > listed at
> > > > > > > the top, so maybe it's not that.
> > > > > >
> > > > > > <sigh> Vague descriptions of problems are an utter waste of
> > > > everyones
> > > > > > time.
> > > > > >
> > > > > > Post the debug log. Read the documentation. I've been saying
> > this
> > > > for
> > > > > > 20 years, and it is getting tiring.
> > > > > >
> > > > > > Alan DeKok.
> > > > > >
> > > > > >
> > > > > > -
> > > > > > List info/subscribe/unsubscribe? See
> > > > > > http://www.freeradius.org/list/users.html
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
On Mar 26, 2019, at 9:09 AM, Nate . <nate2077developer@gmail.com> wrote:
I think I understand it better now, I've made those changes, and connecting an android phone with the required security preferences is working! Now I'm struggling to get an Apple desktop to let me choose what protocols to use,
Apple "helpfully" removed the EAP configuration options from their desktop systems. You will need to download their "Apple Configurator 2" utility, which can create mobile profiles.
so I'm working on figuring out why that is now. I've already been contacted one on one by 8 other people asking for this exact same setup, mac/windows/android environment, with Freeradius using LDAP to authenticate via Googles Applet.
People shouldn't be afraid of asking questions on the list. It's not that scary. Just (a) describe what you're doing, and (b) follow instructions. In the case of LDAP hosted by Google, the only thing that's going to work is TTLS + PAP. Because I doubt very much that Google will allow the export of clear-text passwords to FreeRADIUS. And if you search for "google ldap radius", you get this page: https://support.google.com/a/answer/9089736?hl=en which has *explicit instructions* for getting FreeRADIUS to work. Although as with damned near all third-party sites, their instructions are in part wrong. Specifically, DON'T do #5d. It will break all kinds of things. It's not necessary. And #5a is wrong, too. Don't add the block AFTER the "pap" line. Add the block BEFORE the "pap" line. And even for #5c, it's better to uncomment the entire block, not just the "ldap" line. And #5b can be done, but isn't necessary. And their line of " enable LDAP by removing the ‘-’ sign before it." is just wrong. <sigh> You would think that Google of all people would *read* the documentation before giving shitty advice to people.
I'll update you on what I find.
Thanks. Please either update the Wiki, or post a summary here. They we can update the docs / wiki. This *is* an open source project. We don't (and can't) run every possible combination of every tool. We can't document every possible combination of every tool. We rely on the community to help. Alan DeKok.
hi,
I think I understand it better now, I've made those changes, and connecting an android phone with the required security preferences is working! Now I'm struggling to get an Apple desktop to let me choose what protocols to use, so I'm working on figuring out why that is now. I've already been contacted one on one by 8 other people asking for this exact same setup, mac/windows/android environment, with Freeradius using LDAP to authenticate via Googles Applet.
OSX used to be really good for 802.1X networks. Then Apple chose to mess with the UI and preferences and did away with the ability to choose what methods to use etc. At least they added cert/CA checking to Lion but since then its gone downhill. the only option is to use a deployment profile to configure the relevant and correct settings. there are commercial tools and free tools (including Apples own configurator) - then create a profile that you can then just click on to install. With regards to the other platforms...at least its 2019 now - and Windows has come along enough that it supports EAP-TTLS/PAP now . your milage will vary for other platforms. to be honest, I would say use another mechanism - eg EAP-TLS (pure client/server certs) - use the LDAP as your authorization system for a simple web front end that generates and provides the user with their cert/profile alan
participants (5)
-
Alan Buxey -
Alan DeKok -
Martin Gignac -
Matthew Newton -
Nate .