EAP-TTLS/PAP -> LDAP for WPA2
Stefan Winter
stefan.winter at restena.lu
Fri Jul 7 07:59:30 CEST 2006
Hi!
> Hmmm. Well, in the first packet i see the Identity in the EAP-Message,
> but the User-name attribute is in every packet sent by the AP. How would
> i go about using an anonymous identity? Would that be up to the wireless
> client configuration? It would be quite important for me to hide this.
> If i'm understanding you correctly, the User-name attribute and the
> Identity field in the EAP-Message attribute have nothing to do with
> authentication which is all enclosed (including the username) in PAP
> which is encrypted inside EAP-TTLS? If i could just get this fixed, i
> think i'd be happy with my setup...
The thing about anonymous outer identity is that it doesn't matter what you
put in there. If your real name is "iamcool" and your password
is "evencooler" you can happily send "foobar" as Identity. Authentication
will only depend on what's inside the tunneled PAP request. Most supplicants
allow to specify the outer identity to your liking.
That said, there is one exception: if you are using roaming, the realm part of
the username must be the correct one, otherwise the request can't be routed
to the correct server.
> This certainly helps me understand, but it would be nice to get a more
> complete understanding. I don't want to hassle you by continually asking
> you questions until i get it - can you point me to somewhere i can read
> up on this and understand. For example, it confuses me that there is an
> ldap, eap and pap section in the authorize section, but pap is to be
> used exclusively inside eap with the client and ldap is to be used
> exclusively with the backend server.
The RADIUS protocol requires that all clients (NASes, for Network Access
Server) have to be registered with their IP address and a shared secret
before they can send any requests to the server. Once they are registered,
they may ask whatever they want.
The authorize section lets you configure what exactly a user (or a NAS) is
allowed to ask for. authenticate lets you check credentials.
For the configuration parts in FreeRADIUS that you don't understand: how about
ignoring them? It is not necessary to understand deeply every line of the
config. If you are *really* concerned that they do something you don't like,
feel free to comment them out and try if your stuff still works. That's
called trial and error and is probably a good way to learn about things.
Greetings,
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060707/ae1e3e44/attachment.pgp>
More information about the Freeradius-Users
mailing list