EAP-TTLS-PAP using LDAP for authorization and PAM for authentication
Alan DeKok
aland at deployingradius.com
Sun Sep 28 18:17:46 CEST 2008
Erik Karlsson wrote:
> I am trying to set up a simple Wlan-authentication using EAP-TTLS to
> avoid client certificates and PAM to use the server system
> authentication scheme. PAM doesn't know about users, and the users are
> situated in a LDAP database, which I think makes it logical to use
> rlm_ldap for authorization. I.e. I just want to check that users exist
> in LDAP and then move on to checking the password against PAM.
Why not also get the passwords from ldap? Why use PAM at all?
> The problem is that PAM is never used. This seems to be an artifact of
> the fact that rlm_ldap is supposed to fetch a "known good" password, but
> I don't have passwords in the LDAP database. rlm_ldap is indeed
> successful in authorizing, but there is no Auth-Type set to handle the
> authentication.
If you want to use PAM, you have to force it via Auth-Type.
> If I for example force Auth-Type to PAM in the users file (not good, I
> know), TTLS-negotiation is never run.
Because TTLS involves *two* authentication sessions. An outer one for
EAP-TTLS, and an inner "tunneled" session where the real user-name &&
password is sent.
Follow my web site (deployingradius.com) to get EAP-TTLS working.
Once that's working, add LDAP authorization. Then, add PAM to the
*inner* tunnel section.
Alan DeKok.
More information about the Freeradius-Users
mailing list