can peap and ttls live together?
Sergio Belkin
sebelk at gmail.com
Tue Apr 29 15:41:08 CEST 2008
2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>:
>
> Sergio Belkin wrote:
>
> > Hi,
> >
> > I had been using EAP-TTLS, but I've commented in an earlier post, I
> > have no luck with securew2 and Vista. So I am planning use a
> > "secondary password" for radius in clear-text. But I'd want to know if
> > TTLS and PEAP can live together, my current eap.conf is as follow:
> >
> > eap {
> > default_eap_type = ttls
> > timer_expire = 60
> > ignore_unknown_eap_types = no
> > cisco_accounting_username_bug = no
> > md5 {
> > }
> > leap {
> > }
> > gtc {
> > auth_type = PAP
> > }
> > tls {
> > private_key_file =
> > /etc/pki/tls/certs/ips-spectrum-key.pem
> > certificate_file =
> > /etc/pki/tls/certs/ips-spectrum-crt.pem
> > CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt
> > dh_file = ${raddbdir}/certs/dh
> > random_file = ${raddbdir}/certs/random
> > cipher_list = "DEFAULT"
> > }
> > ttls {
> > default_eap_type = md5
> > copy_request_to_tunnel = no
> > use_tunneled_reply = yes
> > }
> > peap {
> > default_eap_type = mschapv2
> > copy_request_to_tunnel = no
> > use_tunneled_reply = no
> > }
> > mschapv2 {
> > }
> > }
> >
> >
> >
> >
> Yes. If the supplicant doesn't support TTLS it'll NAK the offer of EAP-TTLS
> and request PEAP. Default EAP type specifies the EAP type the server
> initially attempts to negotiate with the supplicant.
>
> --
> Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
> Authentication, Authorisation and Accounting Officer
> Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton
> EXT:01273 873900 | INT: 3900
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Thanks Phil and Arran. I am testing peap and ttls and I only modified
default_eap_type to be peap. But I can't connect, this part of the
debugging output:
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for pepepe with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [pepepe/<via Auth-Type = EAP>] (from client
UP-PVIII-VII port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
(pepepe is the user)
I am setting userPassword in cleartext with Luma for LDAP
(http://luma.sourceforge.net/ ). What's wrong?
Thanks in advance. Should I define 2 virtual servers as Phil suggested?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
More information about the Freeradius-Users
mailing list