TTLS-PAP authentication with LDAP bind
Richard Hesse
rhesse at yahoo.com
Sun Jan 28 02:31:29 CET 2007
First off, I'd like to say thanks in advance to anyone who can help me here. I've spent the past few days searching the list archives and other sites for information on how to accomplish this. The overwhelming message from these searches was that "it should just work" and that "the server will figure out what to do." Sadly, that's not the case here.
My goals here are straightforward:
-Authorize the user in LDAP if a corresponding entry exists (just checking against uid, nothing fancy).
-Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients.
-Authenticate the user's clear-text password via a simple LDAP bind encrypted via TLS. No userPassword attribute checking here. A simple bind is all.
Using version 1.14.
Here's my eap.conf with comments stripped out:
eap {
default_eap_type = ttls
timer_expire = 10
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
gtc {
challenge = "Password: "
auth_type = PAP
}
tls {
private_key_password = foo
private_key_file = ${raddbdir}/certs/key.pem
certificate_file = ${raddbdir}/certs/cert.pem
CA_file = ${raddbdir}/certs/sf_issuing.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = gtc
}
peap {
default_eap_type = gtc
}
}
Relevant sections of radius.conf are:
ldap {
server = "myserverentry"
basedn = "myDN"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/intCA.pem
tls_require_cert = "demand"
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
suffix
ntdomain
eap
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to be detecting that something isn't right with its AAA server and not passing the request on. If I change the supplicants to use their default settings, the requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems to think that something is wrong and presents its certificate instead of my server's. At one point, I had the clients seeing the server's certificate but I can't seem to get back in that state. So I don't think my AP is broken, I'm pretty sure it's my FreeRadius config that's broken. The users file is unchanged and the proper entries are in clients.
Yes, I've run the server in debug mode (there are no requests coming in).
Thanks,
-richard
____________________________________________________________________________________
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.
More information about the Freeradius-Users
mailing list