FreeRADIUS w/ LDAP and EAP-TLS
So yesterday after complicating my configuration I decided to completely start over. I rebuilt the server and got everything work up to the EAP-TLS. While it is clear that it says no "known good" password found, I was able to auth to LDAP prior to turning on EAP-TLS. So I suspect there is something else that I am missing. I am using the certificates that came w/ FreeRADIUS in the /etc/raddb/certs/ folder. I will be generating my own or applying ones from FreeIPA once I get this working. I followed this: http://deployingradius.com/documents/configuration/eap.html https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration Here is the output from debug: (2) control:Auth-Type := LDAP (2) } # update = noop (2) } # if ((ok || updated) && User-Password) = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = ok (2) Found Auth-Type = LDAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Auth-Type LDAP { rlm_ldap (ldap): Reserved connection (6) (2) ldap: Login attempt by "andrew.meyer" (2) ldap: Using user DN from request "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" (2) ldap: Waiting for bind result... (2) ldap: Bind successful (2) ldap: Bind as user "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" was successful rlm_ldap (ldap): Released connection (6) (2) [ldap] = ok (2) } # Auth-Type LDAP = ok (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = noop (2) Sent Access-Accept Id 16 from 10.150.10.45:1812 to 10.150.1.250:53618 length 0 (2) Finished request Waking up in 1.0 seconds. (1) Cleaning up request packet ID 15 with timestamp +68 Waking up in 3.9 seconds. (2) Cleaning up request packet ID 16 with timestamp +72 Ready to process requests
Hi, Am 30.11.2017 um 17:33 schrieb Andrew Meyer via Freeradius-Users:
So yesterday after complicating my configuration I decided to completely start over. I rebuilt the server and got everything work up to the EAP-TLS.
Do you really mean EAP-TLS? EAP-TLS means using client certificates to authenticate the users and not any inner tunnel. In contrast on EAP-TTLS your are establishing a TLS secured connection and then authenticate the user in an inner tunnel (using PAP, LDAP, ...).
https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration
This doesn't use LDAP auth. LDAP auth would be in the "inner tunnel". EAP-TLS doesn't need/have an inner tunnel.
Auth-Type LDAP { rlm_ldap (ldap): Reserved connection (6) (2) ldap: Login attempt by "andrew.meyer" (2) ldap: Using user DN from request "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" (2) ldap: Waiting for bind result... (2) ldap: Bind successful (2) ldap: Bind as user "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" was successful rlm_ldap (ldap): Released connection (6) (2) [ldap] = ok (2) } # Auth-Type LDAP = ok (2) # Executing section post-auth from file /etc/raddb/sites-enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = noop (2) Sent Access-Accept Id 16 from 10.150.10.45:1812 to
This looks like LDAP auth is working fine, an Access-Accept is sent. What does this have to do with EAP-TLS? And since Access-Accept is sent: What is the problem here? Kind regards, Enno
participants (2)
-
Andrew Meyer -
Enno Gröper