Re: EAP-GTC w/ "PAP-like" LDAP authentication
First, apologies for breaking threading. (I had mail delivery turned off, and Gmane's feed seems to be broken, so I'm cutting & pasting from the archive.)
Alan DeKok aland at deployingradius.com Sun Jan 27 20:17:58 CET 2019
(a) Make sure PEAP works with certificates.
Done. I've verified with tcpdump/Wireshark that the correct certificate is being used.
(b) configure and enable LDAP. See mods-available/ldap
Done.
Once the LDAP module is available, the server will automatically use it.
It's trying, but failing. (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
And, the server will automatically grab passwords from LDAP. And, the server will automatically use those passwords to do EAP-GTC.
It will try, but it will fail, because it doesn't have permission to read passwords/hashes from LDAP. I need to configure FreeRADIUS to bind *as the user* to LDAP. If the bind succeeds then the authentication succeeds.
It also helps to describe what you've done, what happened, and why you think it's wrong. Otherwise, we're limited to:
Q: I tried stuff and it doesn't work. What do I do? A: Try different stuff
Which isn't helpful to anyone. Better questions means better answers.
Fair enough. This seems like it would be such a common configuration that I would have thought that it would be documented somewhere. -- ======================================================================== Ian Pilcher arequipeno@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================
On Jan 28, 2019, at 2:52 PM, Ian Pilcher <arequipeno@gmail.com> wrote:
Alan DeKok aland at deployingradius.com Sun Jan 27 20:17:58 CET 2019 (a) Make sure PEAP works with certificates.
Done. I've verified with tcpdump/Wireshark that the correct certificate is being used.
Good.
(b) configure and enable LDAP. See mods-available/ldap
Done.
Once the LDAP module is available, the server will automatically use it.
It's trying, but failing.
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
That's a usual problem. <sigh> "security" means not allowing your security server to read the secure passwords.
And, the server will automatically grab passwords from LDAP. And, the server will automatically use those passwords to do EAP-GTC.
It will try, but it will fail, because it doesn't have permission to read passwords/hashes from LDAP.
Yeah.
I need to configure FreeRADIUS to bind *as the user* to LDAP. If the bind succeeds then the authentication succeeds.
That's what the "auth_type" setting is for on the EAP GTC module configuration. Set it to something else. e.g. "ldap". And then make sure that "ldap" is listed in the "authenticate" section of the inner-tunnel virtual server.
It also helps to describe what you've done, what happened, and why you think it's wrong. Otherwise, we're limited to: Q: I tried stuff and it doesn't work. What do I do? A: Try different stuff Which isn't helpful to anyone. Better questions means better answers.
Fair enough. This seems like it would be such a common configuration that I would have thought that it would be documented somewhere.
It is. Especially if you post debug output showing *exactly* what went wrong. Alan DeKok.
On 1/28/19 2:40 PM, Alan DeKok wrote:
That's what the "auth_type" setting is for on the EAP GTC module configuration. Set it to something else. e.g. "ldap". And then make sure that "ldap" is listed in the "authenticate" section of the inner-tunnel virtual server.
Boom! That, plus the changes detailed in http://lists.freeradius.org/pipermail/freeradius-users/2016-September/084737... makes both EAP-GTC and EAP-TTLS work. Thank you! -- ======================================================================== Ian Pilcher arequipeno@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================
On Jan 29, 2019, at 2:00 PM, Ian Pilcher <arequipeno@gmail.com> wrote:
On 1/28/19 2:40 PM, Alan DeKok wrote:
That's what the "auth_type" setting is for on the EAP GTC module configuration. Set it to something else. e.g. "ldap". And then make sure that "ldap" is listed in the "authenticate" section of the inner-tunnel virtual server.
Boom!
That, plus the changes detailed in http://lists.freeradius.org/pipermail/freeradius-users/2016-September/084737... makes both EAP-GTC and EAP-TTLS work.
That configuration is intended for a different use-case. While they might work, they're not correct. My earlier recommendation is the correct approach. Alan DeKok.
On 1/29/19 1:03 PM, Alan DeKok wrote:
That configuration is intended for a different use-case. While they might work, they're not correct.
My earlier recommendation is the correct approach.
Indeed. I was confused by the fact that the changes in that note make radtest (and EAP-TTLS) work. I've done a bit of testing, and I've come up with the following changes required to make each "method" work. (In addition to the certificate & LDAP configuration that is common across all 3 "methods.") * radtest - force Auth-Type LDAP in the authorize section of sites-available/default - enable LDAP authentication in the authenticate section of sites-available/default * EAP-TTLS - force Auth-Type LDAP in the authorize section of sites-available/inner-tunnel - enable LDAP authentication in the authenticate section of sites-available/inner-tunnel * EAP-GTC - set auth_type = LDAP in the gtc section of mods-available/eap - enable LDAP authentication in the authenticate section of sites-available/inner-tunnel I hope I've got that right. Thanks! -- ======================================================================== Ian Pilcher arequipeno@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================
participants (2)
-
Alan DeKok -
Ian Pilcher