EAP/TLS -- FreeRadius -- 802.1x

phil lemelin phil.lemelin at gmail.com
Thu Mar 26 18:52:35 CET 2009 

Following on my adventure with freeradius, I decided to enable mysql and use
EAP-TTLS. Having my passwords in SQL, I now want to encrypt them ( MD5 ) and
use them to authenticate my user.

After reading the protocols compatibility matrix ,I saw that with EAP-TTLS,
with tunneled PAP, I should be able to do so.

I configured my client (wpa_supplicant) to use EAP=TTLS and
phase2="auth=PAP"

When I look into my radiusd -X log, I can see that I have a "Found Auth-Type
= PAP" then "+- entering group PAP {...}". So that confirms my supplicant is
correctly configured and that I have uncommented the correct lines in the
"sites-enabled/inner-tunnel" to have radius look into mysql.

NOW the questions :

1- What do I set the "attribute" field to in the radcheck table to use MD5
passwords ?
2- What do I set the "attribute" field to in the radgroupcheck IF I have too
( I should'nt have right ? decided by user unless I want to lock them out of
a method (read something like that in the radius files) )
3- Is there a good reference to setup the mysql database to use
authentication ? Frankly, the ammount of questions and conflicting
information found on google is not helping.

radiusd -X  :

++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password
"unpassword"                                                      <--
Password sent by supplicant
[pap] Using clear text password "$apr1$52gvO/..$3EWsna/pFsS3YSrKNmIcW0"
<-- Password in mysql table.


Mysql :

mysql> select * from radcheck;
+----+----------+-----------+----+---------------------------------------+
| id | username | attribute | op | value                                 |
+----+----------+-----------+----+---------------------------------------+
|  1 | myuser | Password  | := | $apr1$52gvO/..$3EWsna/pFsS3YSrKNmIcW0 |
+----+----------+-----------+----+---------------------------------------+
1 row in set (0.00 sec)


-- 
Philippe-Alexandre Lemelin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090326/02a438d6/attachment.html>

More information about the Freeradius-Users mailing list