EAP-TTLS/PAP -> LDAP for WPA2
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Jul 6 18:08:55 CEST 2006
Hi,
> I'm using freeradius-1.1.2 on a freebsd server and i've compiled it
> against openldap-2.3.24 which all went well. I'm attempting to set up
> secure wireless with WPA2 using our ldap directory for authentication.
> We have a replica of our directory running on the freeradius server.
> Originally i had hoped to use some sort of
> web-redirect-to-an-authentication-page system like you sometimes see in
> hotels but i can't find anything about that (any information welcome).
"captive portal" - there are several software tools that will do this...
eg http://en.wikipedia.org/wiki/Captive_portal
most people seem to be moving away from this method as it is riddled with
possible security compromises.
> After reading around, the best form of authentication i can see would be
> eap-ttls with pap as the inner protocol. I believe (from comments in the
> radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now,
> i've set it up in a way that appears to be mostly right and i *can*
> authenticate with my username/password in ldap but doing a tcpdump on
> the radius server worries me. I can see my username passed in the clear
> in the packets so i'm concerned it's not using tls at all. I told the
> wireless client to use ttls so i can't understand what's going on.
PAP uses clear text (unencrypted) password authentication. whilst
the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted
session) when you CAN see the PAP in the clear is when its being sent
over to LDAP - so you need to make sure that that communication is
encrpyted...either by making sure its configured to use SSL for its
communication channel...or simply 'stunnel'ing the traffic.
> modules {
> ldap {
> server = "localhost"
> filter = "(uid=%u)"
> base_filter = "(objectclass=radiusprofile)"
> start_tls = no
^^^^^^^^^^^^^^
this!
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> }
> }
>
> authorize {
> eap
> ldap
> }
>
alan
More information about the Freeradius-Users
mailing list