eap-ttls + PAP using Crypt-Password obtained by ldap
Hi, ist it possible to authenticate an user with eap-ttls using PAP with an Crypt-Password? The Crypt-Password is obtained by an LDAP-Server. I can do eap-ttls using MD5/PAP with an cleartext Password. thanks Florian -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester wrote:
ist it possible to authenticate an user with eap-ttls using PAP with an Crypt-Password? The Crypt-Password is obtained by an LDAP-Server.
I can do eap-ttls using MD5/PAP with an cleartext Password.
Yes you can, however you have to configure your clients to use TTLS+PAP. Otherwise they will default to TTLS+MSCHAPv2 which will not work with crypted password. Here is a HOWTO on configuring TTLS+PAP http://vuksan.com/linux/dot1x/wpa-client-config.html Vladimir
Vladimir Vuksan wrote:
Florian Prester wrote:
ist it possible to authenticate an user with eap-ttls using PAP with an Crypt-Password? The Crypt-Password is obtained by an LDAP-Server.
I can do eap-ttls using MD5/PAP with an cleartext Password.
Yes you can, however you have to configure your clients to use TTLS+PAP. Otherwise they will default to TTLS+MSCHAPv2 which will not work with crypted password. Here is a HOWTO on configuring TTLS+PAP
http://vuksan.com/linux/dot1x/wpa-client-config.html
Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Vladimir. I know your howto, it is very helpfull. I configured as you told, but I still get an error at the freeradius: .... Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: looking for reply items in directory... Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: user unrz148 authorized to use remote access Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Aug 11 17:06:02 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 3 Thu Aug 11 17:06:02 2005 : Debug: modcall[authorize]: module "ldap" returns ok for request 3 Thu Aug 11 17:06:02 2005 : Debug: modcall: group authorize returns updated for request 3 Thu Aug 11 17:06:02 2005 : Debug: rad_check_password: Found Auth-Type pap Thu Aug 11 17:06:02 2005 : Debug: auth: type "PAP" Thu Aug 11 17:06:02 2005 : Debug: Processing the authenticate section of radiusd.conf Thu Aug 11 17:06:02 2005 : Debug: modcall: entering group Auth-Type for request 3 Thu Aug 11 17:06:02 2005 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 3 Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute "Password" is required for authentication. Thu Aug 11 17:06:02 2005 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 3 Thu Aug 11 17:06:02 2005 : Debug: modcall[authenticate]: module "pap" returns invalid for request 3 Thu Aug 11 17:06:02 2005 : Debug: modcall: group Auth-Type returns invalid for request 3 Thu Aug 11 17:06:02 2005 : Debug: auth: Failed to validate the user. ... The Crypted-Password is working and it is available as Crypt-Password. (Tested with ntradping). I added "DEFAULT Auth-Type := pap" at the end of the users-file, without it wants to use ldap-authentication! Also it works with an local user (defined in the users-file) and a Crypt-Password! Any hints? thanks Florian -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester wrote:
The Crypted-Password is working and it is available as Crypt-Password. (Tested with ntradping). I added "DEFAULT Auth-Type := pap" at the end of the users-file, without it wants to use ldap-authentication!
You should set Auth-Type := pap See http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: thor.spruyt@telenet.be W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be
Thor Spruyt wrote:
Florian Prester wrote:
The Crypted-Password is working and it is available as Crypt-Password. (Tested with ntradping). I added "DEFAULT Auth-Type := pap" at the end of the users-file, without it wants to use ldap-authentication!
You should set Auth-Type := pap I mean SHOULDN'T!!!
-- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: thor.spruyt@telenet.be W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
I configured as you told, but I still get an error at the freeradius:
You haven't shown the contents of the packet.
Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute "Password" is required for authentication.
You've told the server to do PAP authentication, but there's no password in the request. Don't do that.
I added "DEFAULT Auth-Type := pap" at the end of the users-file, without it wants to use ldap-authentication!
Which ALSO forces the server to do PAP when it receives an EAP request. Solution: 1) read "man users" 2) change := to = Alan DeKok.
Alan DeKok wrote:
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
I configured as you told, but I still get an error at the freeradius:
You haven't shown the contents of the packet.
Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute "Password" is required for authentication.
You've told the server to do PAP authentication, but there's no password in the request. Don't do that.
I added "DEFAULT Auth-Type := pap" at the end of the users-file, without it wants to use ldap-authentication!
Which ALSO forces the server to do PAP when it receives an EAP request.
Solution:
1) read "man users" 2) change := to =
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ok, after I set ":=" to "=" the radius is trying to do EAP with md5. So I think the wpa_supplicant is telling the radius to do so. Which of course need an Password-attribute. So back again to the wpa_supplicant-configuration, how do I configure EAP-TTLS with PAP as inner authentication? thanks for all the help. Florian Prester -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
ok, after I set ":=" to "=" the radius is trying to do EAP with md5. So I think the wpa_supplicant is telling the radius to do so. Which of course need an Password-attribute.
Yes.
So back again to the wpa_supplicant-configuration, how do I configure EAP-TTLS with PAP as inner authentication?
Ask on a WPA supplicant list. I haven't used it, so I know nothing about it. Alan DeKok.
participants (4)
-
Alan DeKok -
Florian Prester -
Thor Spruyt -
Vladimir Vuksan