EAP/TTLS on LDAP with freeradius 2.0.1

Alan DeKok aland at deployingradius.com
Wed Feb 6 15:46:54 CET 2008


Thierry CHICH wrote:
> With the previous release of freeradius 1.1.7, I could do the following 
> things: 
> - people with a correct outer identity and inner identity (login/password) 
> could be authorized and authenticate on a LDAP server, using an EAP-TTLS 
> tunnel, obtained a WPA key.
> - with the same radius server, I could authenticate people with EAP-PEAP and 
> mschapv2 on a sql database.

  2.0.1 can do this, too.

1) configure certificates
2) set up test user as in the FAQ
3) validate that the test user works for EAP-TTLS && PEAP.

  Then:

4) configure SQL
5) validate that "radtest" works for users in SQL
6) validate that EAP-TTLS && PEAP work for users in SQL.

> It was nice, but I had a small problem: accounting was done  using the outer 
> identity. Since I was using the ldap to do the authorization, people who put 
> an other valid identity didn't be correctly accounted.

  In 2.0.1, see raddb/sites-available/inner-tunnel for comments &&
configuration to fix this.  Or, the other reply to your message.

> I always finished by :  
> rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
> auth: No authenticate method (Auth-Type) configuration found for the request: 
> Rejecting the user

  The most common cause for this is that you massively edited the
configuration file without understanding what it was doing.  The simple
answer is DON'T DO THAT.

> If I put an Auth-Type := LDAP, it seems better in the first time, but it is 
> worst: 

  Exactly.  It breaks EAP-TTLS and PEAP.

> At this point, I don't understand what freeradius want.
> I don't know how to say : authorize on waht you want, I don't care, and 
> authenticate on my LDAP server.

  Start off with the default radiusd.conf.  Configure the ldap module,
and un-comment the references to ldap.  It WILL work!

> Is it a good configuration sample I can find anywhere ?

  /etc/raddb/radiusd.conf?

  Really.

  See also "man radiusd" in 2.0.1.  It gives detailed instructions for
how to convert the default "radiusd.conf" file into something that
works, but also has your local configuration.

  Alan DeKok.



More information about the Freeradius-Users mailing list