EAP + TLS + Unix passwords

[Bjørn Mork]

Andy Theuninck <gohanman at gmail.com> writes:

> I'm trying to set up freeradius to handle WPA authentication on my
> network. I've managed to get the AP & radius servers talking to one
> another and the SSL certificates loaded and configured, but I can't
> figure out how to get the username & passwords checked against the
> local /etc/shadow file. Free radius version is 1.1.3, latest binary
> provided by my version of CentOS.

Well, I guess you aøready know this but you should really get something
newer...


> The client attempting to connect is
> Mac OS X 10.4. In a perfect world, I'd like to support both OS X and
> Windows XP with names & passwords checked against /etc/shadow.

I think that might be difficult.  Windows will want to use mschap, which
requires a cleartext password.  Everything is working just as it should
this far:

> modcall: leaving group authorize (returns ok) for request 3
>   rad_check_password:  Found Auth-Type MS-CHAP
> auth: type "MS-CHAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 3

But then it fails, as you don't have any Cleartext-Password (aka
"User-Password" in FreeRADIUS 1.x language):

>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for andy with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 3
> modcall: leaving group MS-CHAP (returns reject) for request 3
> auth: Failed to validate the user.


The easiest would be to just forget /etc/shadow  and configure cleartext
passwords for your WPA users.  You might try some inner authentication
module supporting encrypted passwords (PAP?) but I don't know if that'd
ever work with Windows...


Bjørn