EAP-TTLS/PAP -> LDAP for WPA2

John Allman allmanj at cp.dias.ie
Thu Jul 6 17:28:39 CEST 2006 

Hi All,

Quite new to radius and struggling to get my head around things so
forgive me if my assumptions are wrong. I appear to have the setup
working but i'm concerned it's not doing what it think it is. I don't
think the authentication requests are actually going over an encrypted
channel.

I'm using freeradius-1.1.2 on a freebsd server and i've compiled it
against openldap-2.3.24 which all went well. I'm attempting to set up
secure wireless with WPA2 using our ldap directory for authentication.
We have a replica of our directory running on the freeradius server.
Originally i had hoped to use some sort of
web-redirect-to-an-authentication-page system like you sometimes see in
hotels but i can't find anything about that (any information welcome).

After reading around, the best form of authentication i can see would be
eap-ttls with pap as the inner protocol. I believe (from comments in the
radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now,
i've set it up in a way that appears to be mostly right and i *can*
authenticate with my username/password in ldap but doing a tcpdump on
the radius server worries me. I can see my username passed in the clear
in the packets so i'm concerned it's not using tls at all. I told the
wireless client to use ttls so i can't understand what's going on.

The following is a summary of the main changes i made from the
radiusd.conf and eap.conf files. If i dont mention an attribute it's
because i didn't change it from the default setting:

radiusd.conf:

modules {
	ldap {
                server = "localhost"
		filter = "(uid=%u)"
                 base_filter = "(objectclass=radiusprofile)"
		start_tls = no
		dictionary_mapping = ${raddbdir}/ldap.attrmap
	}
}

authorize {
		eap
		ldap
}

authenticate {
	Auth-Type PAP {
			pap
        }
	eap
	Auth-Type LDAP {
			ldap
        }
}

eap.conf:
eap {
	default_eap_type = ttls
	tls {
		private_key_file = ${raddbdir}/certs/radius_key.pem
		certificate_file = ${raddbdir}/certs/radius_cert.pem
		CA_file = ${raddbdir}/certs/cacert.pem
		random_file = ${raddbdir}/certs/random
	}

	ttls {
		default_eap_type = md5
	}
}

Now i know that default_eap_type setting looks wrong but i don't know
what i *should* have there.

On the server in /var/log/radiusd.log i see the following:

Wed Jul  5 16:10:32 2006 : Error:     TLS_accept:error in SSLv3 read
client certificate A
Wed Jul  5 16:10:32 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)
Wed Jul  5 16:10:32 2006 : Error: rlm_eap: SSL error
error:00000000:lib(0):func(0):reason(0)

I based my certificate generation on the instructions at:

http://homepage.mac.com/andreaswolf/public/wpaeap.html

including using the xpextensions mentioned there. I generated my random
file using dd and /dev/urandom.

I am a little lost and don't know what is best practice. Any advice
would be appreciated. I've tried googling but haven't found a good guide
that matches our setup.I can, of course, give more information if needed.

Thanks,

John Allman

More information about the Freeradius-Users mailing list