eap-ttls + PAP using Crypt-Password obtained by ldap
Florian Prester
Florian.Prester at rrze.uni-erlangen.de
Thu Aug 11 17:20:56 CEST 2005
Vladimir Vuksan wrote:
> Florian Prester wrote:
>
>> ist it possible to authenticate an user with eap-ttls using PAP with
>> an Crypt-Password?
>> The Crypt-Password is obtained by an LDAP-Server.
>>
>> I can do eap-ttls using MD5/PAP with an cleartext Password.
>
>
> Yes you can, however you have to configure your clients to use
> TTLS+PAP. Otherwise they will default to TTLS+MSCHAPv2 which will not
> work with crypted password. Here is a HOWTO on configuring TTLS+PAP
>
> http://vuksan.com/linux/dot1x/wpa-client-config.html
>
> Vladimir
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Thanks Vladimir.
I know your howto, it is very helpfull.
I configured as you told, but I still get an error at the freeradius:
....
Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: looking for reply items in
directory...
Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: user unrz148 authorized to
use remote access
Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Aug 11 17:06:02 2005 : Debug: modsingle[authorize]: returned from
ldap (rlm_ldap) for request 3
Thu Aug 11 17:06:02 2005 : Debug: modcall[authorize]: module "ldap"
returns ok for request 3
Thu Aug 11 17:06:02 2005 : Debug: modcall: group authorize returns
updated for request 3
Thu Aug 11 17:06:02 2005 : Debug: rad_check_password: Found Auth-Type pap
Thu Aug 11 17:06:02 2005 : Debug: auth: type "PAP"
Thu Aug 11 17:06:02 2005 : Debug: Processing the authenticate section
of radiusd.conf
Thu Aug 11 17:06:02 2005 : Debug: modcall: entering group Auth-Type for
request 3
Thu Aug 11 17:06:02 2005 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 3
Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute "Password" is
required for authentication.
Thu Aug 11 17:06:02 2005 : Debug: modsingle[authenticate]: returned
from pap (rlm_pap) for request 3
Thu Aug 11 17:06:02 2005 : Debug: modcall[authenticate]: module "pap"
returns invalid for request 3
Thu Aug 11 17:06:02 2005 : Debug: modcall: group Auth-Type returns
invalid for request 3
Thu Aug 11 17:06:02 2005 : Debug: auth: Failed to validate the user.
...
The Crypted-Password is working and it is available as Crypt-Password.
(Tested with ntradping).
I added "DEFAULT Auth-Type := pap" at the end of the
users-file, without it wants to use ldap-authentication!
Also it works with an local user (defined in the users-file) and a
Crypt-Password!
Any hints?
thanks
Florian
--
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany
Tel.: +499131 8527813
More information about the Freeradius-Users
mailing list