EAP-TTLS/PAP -> LDAP for WPA2

Stefan Winter stefan.winter at restena.lu
Fri Jul 7 07:59:30 CEST 2006


Hi!

> Hmmm. Well, in the first packet i see the Identity in the EAP-Message,
> but the User-name attribute is in every packet sent by the AP. How would
> i go about using an anonymous identity? Would that be up to the wireless
> client configuration? It would be quite important for me to hide this.
> If i'm understanding you correctly, the User-name attribute and the
> Identity field in the EAP-Message attribute have nothing to do with
> authentication which is all enclosed (including the username) in PAP
> which is encrypted  inside EAP-TTLS? If i could just get this fixed, i
> think i'd be happy with my setup...

The thing about anonymous outer identity is that it doesn't matter what you 
put in there. If your real name is "iamcool" and your password 
is "evencooler" you can happily send "foobar" as Identity. Authentication 
will only depend on what's inside the tunneled PAP request. Most supplicants 
allow to specify the outer identity to your liking.
That said, there is one exception: if you are using roaming, the realm part of 
the username must be the correct one, otherwise the request can't be routed 
to the correct server.

> This certainly helps me understand, but it would be nice to get a more
> complete understanding. I don't want to hassle you by continually asking
> you questions until i get it - can you point me to somewhere i can read
> up on this and understand. For example, it confuses me that there is an
> ldap, eap and pap section in the authorize section, but pap is to be
> used exclusively inside eap with the client and ldap is to be used
> exclusively with the backend server.

The RADIUS protocol requires that all clients (NASes, for Network Access 
Server) have to be registered with their IP address and a shared secret 
before they can send any requests to the server. Once they are registered, 
they may ask whatever they want.
The authorize section lets you configure what exactly a user (or a NAS) is 
allowed to ask for. authenticate lets you check credentials.

For the configuration parts in FreeRADIUS that you don't understand: how about 
ignoring them? It is not necessary to understand deeply every line of the 
config. If you are *really* concerned that they do something you don't like, 
feel free to comment them out and try if your stuff still works. That's 
called trial and error and is probably a good way to learn about things.

Greetings,

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060707/ae1e3e44/attachment.pgp>


More information about the Freeradius-Users mailing list