EAP-PEAP GTC auth_type

Fajar A. Nugraha fajar at fajar.net
Wed Feb 25 10:51:19 CET 2009 

Hi,

I'm trying to setup freeradius 2.1.3 as a radius for wifi security. The
setup is as follows :

- AP is running dd-wrt, Wireless Security set Security Mode=radius
- Client (Ubuntu Hardy) is setup using network-manager, connect to the
wireless network using settings : Wireless Security=WPA2 Enterprise, EAP
Method=PEAP, Key Type=Dynamic WEP, Phase2 Type=GTC
- on freeradius the relevant eap.conf section follows

#==============================================
    eap {
        default_eap_type = peap

        gtc {
            auth_type = PAP
        }

        tls {
            certdir = ${confdir}/certs
            cadir = ${confdir}/certs
            private_key_password = whatever
            private_key_file = ${certdir}/server.pem
            certificate_file = ${certdir}/server.pem
            CA_file = ${cadir}/ca.pem
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            cipher_list = "DEFAULT"
            cache {
                  enable = no
                  max_entries = 255
            }
        }

        peap {
            default_eap_type = gtc
            copy_request_to_tunnel = no
            use_tunneled_reply = no
            virtual_server = "inner-tunnel"
        }
    }
#==============================================

I have ldap (lda.conf) and pam sections (on radiusd.conf) correctly
setup so that I can authenticate (tested with radtest) using system
users (with pam) or LDAP user. Obviously EAP is not involved here yet.

The comments on eap.conf says
            #  The plain-text response which comes back
            #  is put into a User-Password attribute,
            #  and passed to another module for
            #  authentication.  This allows the EAP-GTC
            #  response to be checked against plain-text,
            #  or crypt'd passwords.


There's also this comment on LDAP.conf
    #  By default, if the packet contains a User-Password,
    #  and no other module is configured to handle the
    #  authentication, the LDAP module sets itself to do
    #  LDAP bind for authentication.
    #
    #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
    #
    #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).

Now I'm assuming what happens when I use PEAP-GTC with system user is that :
- eap calls peap
- peap calls gtc
- gtc calls PAP
- PAP calls pam

in which case GTC should receive the password in clear text (which is
also visible from radiusd -X autput).

Now the question: Can I set GTC to authenticate against LDAP?

Using SYSTEM user with auth_type = PAP in gtc section works, tested with
wireless client.
#==============================================
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password "<My system password here>"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
  rlm_eap_gtc: Everything is OK.
[eap] Freeing handler
++[eap] returns ok
Login OK: [<My system user here>] (from client <My client name here>
port 0 via TLS tunnel)
#==============================================

but using LDAP user with auth_type = PAP in gtc section does not work
#==============================================
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password "<My LDAP password here>"
[pap] No password configured for the user.  Cannot do authentication
++[pap] returns fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<My LDAP user here>] (from client <My client name
here> port 0 via TLS tunnel)
#==============================================

... and setting auth_type = LDAP in gtc section (obviously) does not work
#==============================================
rlm_eap_gtc: Unknown Auth-Type LDAP
rlm_eap: Failed to initialize type gtc
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap".
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate
section.
#==============================================

Is there any way I can get this to work? i.e. having eap -> peap -> gtc
-> PAP -> LDAP

Regards,

Fajar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3242 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090225/86100754/attachment.bin>

More information about the Freeradius-Users mailing list