'Attribute "User-Password" is required for authentication.' (EAP/TTLS/RADIUS/PAM)

sth sth at noiseplant.com
Wed Jun 11 20:47:46 CEST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

I've been tasked with determining the feasibility of migrating a campus
wireless deployment from "open wireless plus VPN" to WPA2 Enterprise.
The existing VPN server authenticates against a RHEL4 FreeRADIUS server
(1.0.1-3.RHEL4.5, the latest available distro-standard package), which
itself primarily auts against PAM. (There are a few users defined in the
RADIUS users file, but these are the exception rather than the rule.)
This function is to be bolted-onto an existing, production FreeRADIUS
server, which is why I'm using such an old version of FR.

My NAS is talking to the FR instance (being run in "-X" debug mode, of
course), but the NAS doesn't appear to be sending the "User-Password"
attribute that FR is expecting. What I'm going for, here, is EAP/TTLS.
I've synthesized a few HOWTOs* to arrive at my current configuration,
which is attached in the form of my (sanitized) radiusd.conf,
clients.conf, and eap.conf, as well as /etc/pam.d/radiusd. FWIW, I'm
getting good answers when running 'radtest' locally, so the FR-to-PAM
linkage is working properly.

* Namely, Hack #44 from O'Reilly's "Wireless Hacks, 2nd Ed." and an
article[1] from Free Software Magazine.

Also attached are a few sample conversations as seen from the
perspective of FR using a user that's active in PAM
(radiusd-X_actual_eap_client.txt and radiusd-X_radeapclient.txt), AND
one using an account that's local at FR, i.e., in the /etc/raddb/users
file (radiusd-X_testuser_actual_eap_client.txt).

My test case will eventually include Windows XP Pro, Vista Business, and
Mac OS X 10.4 specimens, but for now I'm using only Mac OS X 10.5, as it
seems to have very flexible native support for mucking with 802.1x settings.

I did see mention of a similar symptom in my searches, and a few
(including this one[2]) suggested that a fix was forthcoming in 1.1.5.
By way of attempting this, I tried rolling my own 2.0.5 instance of FR,
but it had the same problem.

Alan's post here[3] indicates, "It needs a password." What I'm not clear
on is _what_ needs a password: is the client not sending it, or does the
FR server not have access to the backend against which it should be
verifying the password incoming from the client? If the client is not
sending it, how might I go about ascertaining why?

In any case, this seems to be one of the more common errors for people
attempting 802.1x auth via RADIUS, and since there are so many different
scenarios cited by the posts I'm finding, I hoped that the knowledgeable
~ among you might analyze and comment on my configuration. I can provide
further information and diagnostic output upon request.

If at any point it's appropriate for someone to say, "You fool! You
can't have WPA(2) Enterprise authentication for both Mac and Windows!"
please, don't hesitate to do so. ;-)

Thanks in advance for your time.


Cheers,

- -sth

[1]http://www.freesoftwaremagazine.com/community_posts/howto_incremental_setup_freeradius_server_eap_authentications
[2]http://lists.cistron.nl/pipermail/freeradius-users/2007-February/060265.html
[3]http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg22607.html

sam hooker|sth at noiseplant.com|http://www.noiseplant.com

	Yes, my television runs Linux, too. Yes, really.
	http://mythtv.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhQHdEACgkQX8KByLv3aQ2ZlwCdFRD/+GGPomxSZmdJq+fD3T24
8I4AoLkwSuUwdjcCrnu48HF7obHCX2qy
=yzeE
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: clients.conf
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap.conf
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd.conf
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0003.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd-X_actual_eap_client.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd-X_radeapclient.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd-X_testuser_actual_eap_client.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0002.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clients.conf.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eap.conf.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd.conf.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd-X_actual_eap_client.txt.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd-X_radeapclient.txt.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd-X_testuser_actual_eap_client.txt.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080611/a7e8e326/attachment-0006.obj>

More information about the Freeradius-Users mailing list