Definitive Word on FreeRadius/LDAP/EAP Requirements
amahler at sbc.edu
Fri Jun 26 15:53:13 CEST 2009
I've been going in circles - as have many (based on the posts I've
read all over the web) - trying to assemble a working combination of
Freeradius, Fedora Directory Server (LDAP), and a fleet of wireless
access points that seem to want to do EAP. I want anyone with a record
in my LDAP server to be able to authenticate via 802.1x from these
AP's. The records consist of uid, givenName, sn, mail and userPassword.
For starters, I was hoping to just ask a few key questions to try
to clear up various contradictory comments I've seen in the zillion
things I've read in the last 12 hours:
- Is it, in fact, possible to combine 802.1X, EAP, Freeradius and
Fedora Directory Server in this manner?
- If so (and I'm guessing it is possible), can someone clarify the
clear-text vs. encryption issues related to EAP and LDAP? By this, I
- Some have said EAP and LDAP can't be combined because LDAP
requires plain text passwords here and EAP doesn't play ball in that
- I've seen conflicting comments on whether the passwords need to
be clear-text in my LDAP database or not (or at least how Fedora DS
needs to handle its password encryption settings)
- Again, if this combination is possible, how far off from a -default-
install of the latest Freeradius would the configuration be? It's easy
to start making changes to the config and lose your bearings in short
order... and, of course, hundreds of lines of debug output scroll by
when doing a single 802.1X login attempt.
I've repeatedly been able to do radtest checks against LDAP with no
problems - but I realize that isn't involving EAP. I just say this to
confirm that my LDAP server and Freeradius can talk just fine.
I've had no problem with a file-based account with a clear-text
password working all the way through the 802.1X process from the AP
It's when I try to combine the two that things go off the rails.
I'll wrap this up with a copy from the debug log of the opening
request from an AP in case it helps a bit (IP address xxx'd out in my
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32774,
User-Name = "ldaptest"
NAS-IP-Address = 188.8.131.52
NAS-Port = 0
Called-Station-Id = "00-18-0A-30-00-BA:SBC WiFi"
Calling-Station-Id = "00-26-08-62-FD-6E"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0201000d016c64617074657374
Message-Authenticator = 0x51deb89362f5b9e1c391e88d255eeefa
This is followed by the first query (authorize) to the LDAP server
happening with TLS mode set to 1 (port 636 - should be a valid SSL
conversation) and it binding successfully using an administrative DN.
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
The account I'm testing (ldaptest) is, for the time being, stored on
the LDAP server with a clear-text password due to my questions above.
In the test above, I had added:
checkItem Cleartext-Password userPassword
to my ldap.attrmap. Without that line, the same login test results
rlm_ldap: performing search in ou=People,dc=sbc,dc=edu, with filter
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user ldaptest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
The conversation continues on through the TLS segment, offering the
example SSL cert to my connecting device (an iPhone talking to the AP
in this test), me approving the offered cert on the iPhone and - a
moment later - an error that the login/password are wrong.
If I start here - with a fresh Freeradius install, references to
LDAP uncommented, and basic LDAP parameters properly configured
(server, bind dn, base, etc) - could I get some clear points on how to
proceed with the configuration?
More information about the Freeradius-Users