Doubt about default and inner-tunnel
tnt at kalik.net
tnt at kalik.net
Sun Oct 5 23:27:20 CEST 2008
>I use FR 2.1.1 for WPA authentication, using TTLS+MSCHAPv2 and LDAP to
>store users and passwords (in LM/NT hash format). I tried several
>configurations:
>
>Configuration 1:
>- no changes in sites-enabled/default;
>- in sites-enabled/inner-tunnel uncommented "ldap" in authorize and
>"Auth-Type LDAP" in authenticate.
>Result: users get access even with an incorrect password. Why?
>
That shouldn't happen. When thing don't work as expected - debug
(radiusd -X). Auth-Type LDAP shouldn't be used unless you have done
something else as well.
>Configuration 2:
>- in sites-enabled/default uncommented "ldap" in authorize and
>"Auth-Type LDAP" in authenticate;
>- no changes in sites-enabled/inner-tunnel.
>Result: users aren't authenticated.
>
That's as expected. Authentication is handled by inner-tunnel and no
password is available since ldap is commented out in original settings.
>Configuration 3:
>- in sites-enabled/default uncommented "Auth-Type LDAP" in authenticate;
You can leave that out too.
>- in sites-enabled/inner-tunnel uncommented "ldap" in authorize.
>Result: it seems to work correctly, users get access only with a correct
>password.
>
That's the correct way.
>I can't understand well the flow of the process between the two virtual
>servers :(
>
In your case default virtual server handles creation of TLS tunnel while
inner-tunnel server handles mschap authentication (what is being sent
inside the tunnel - hence the name). You need to provide password only
in the inner-tunnel server. Server should set Auth-Type to mschap on
it's own when it detects mschap attributes in inner-tunnel request.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list