Definitive Word on FreeRadius/LDAP/EAP Requirements

Aaron Mahler amahler at sbc.edu
Fri Jun 26 15:53:13 CEST 2009


  Hello!

   I've been going in circles - as have many (based on the posts I've  
read all over the web) - trying to assemble a working combination of  
Freeradius, Fedora Directory Server (LDAP), and a fleet of wireless  
access points that seem to want to do EAP. I want anyone with a record  
in my LDAP server to be able to authenticate via 802.1x from these  
AP's. The records consist of uid, givenName, sn, mail and userPassword.

   For starters, I was hoping to just ask a few key questions to try  
to clear up various contradictory comments I've seen in the zillion  
things I've read in the last 12 hours:

- Is it, in fact, possible to combine 802.1X, EAP, Freeradius and  
Fedora Directory Server in this manner?

- If so (and I'm guessing it is possible), can someone clarify the  
clear-text vs. encryption issues related to EAP and LDAP? By this, I  
mean:

   - Some have said EAP and LDAP can't be combined because LDAP  
requires plain text passwords here and EAP doesn't play ball in that  
manner
   - I've seen conflicting comments on whether the passwords need to  
be clear-text in my LDAP database or not (or at least how Fedora DS  
needs to handle its password encryption settings)

- Again, if this combination is possible, how far off from a -default-  
install of the latest Freeradius would the configuration be? It's easy  
to start making changes to the config and lose your bearings in short  
order... and, of course, hundreds of lines of debug output scroll by  
when doing a single 802.1X login attempt.

   I've repeatedly been able to do radtest checks against LDAP with no  
problems - but I realize that isn't involving EAP. I just say this to  
confirm that my LDAP server and Freeradius can talk just fine.

   I've had no problem with a file-based account with a clear-text  
password working all the way through the 802.1X process from the AP  
using EAP.

   It's when I try to combine the two that things go off the rails.

   I'll wrap this up with a copy from the debug log of the opening  
request from an AP in case it helps a bit (IP address xxx'd out in my  
paste):

rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32774,  
id=6, length=156
	User-Name = "ldaptest"
	NAS-IP-Address = 6.48.0.186
	NAS-Port = 0
	Called-Station-Id = "00-18-0A-30-00-BA:SBC WiFi"
	Calling-Station-Id = "00-26-08-62-FD-6E"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x0201000d016c64617074657374
	Message-Authenticator = 0x51deb89362f5b9e1c391e88d255eeefa

  This is followed by the first query (authorize) to the LDAP server  
happening with TLS mode set to 1 (port 636 - should be a valid SSL  
conversation) and it binding successfully using an administrative DN.

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful

  The account I'm testing (ldaptest) is, for the time being, stored on  
the LDAP server with a clear-text password due to my questions above.

   In the test above, I had added:

checkItem	Cleartext-Password		userPassword

   to my ldap.attrmap. Without that line, the same login test results  
in:

rlm_ldap: performing search in ou=People,dc=sbc,dc=edu, with filter  
(uid=ldaptest)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure  
that the user is configured correctly?
[ldap] user ldaptest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok


   The conversation continues on through the TLS segment, offering the  
example SSL cert to my connecting device (an iPhone talking to the AP  
in this test), me approving the offered cert on the iPhone and - a  
moment later - an error that the login/password are wrong.

   If I start here - with a fresh Freeradius install, references to  
LDAP uncommented, and basic LDAP parameters properly configured  
(server, bind dn, base, etc) - could I get some clear points on how to  
proceed with the configuration?

Thanks!
  - Aaron








More information about the Freeradius-Users mailing list