EAP-TTLS/PAP with OpenLDAP user store
Fajar A. Nugraha
list at fajar.net
Tue Mar 6 19:53:16 CET 2012
On Wed, Mar 7, 2012 at 12:32 AM, Stefano Zanmarchi <zanmarchi at gmail.com> wrote:
> Hi,
> my aim is to to have eap-ttls/pap working using an openldap user
> database with MD5
> hashed passwords. I got it working configuring ldap parameters in
> /etc/raddb/modules/ldap
> and applying two changes in /etc/raddb/sites-available/inner-tunnel:
> 1) uncommented "ldap" in the authorize section
> 2) uncommented these lines in the authenticate section:
> Auth-Type LDAP {
> ldap
> }
> Am I doing it right?
The documentation advised against that.
Instead, you should find out which LDAP attribute stores your
MD5-password, add the correct mapping to ldap.attrmap, and leave
Auth-Type section commented-out.
It shouldn't affect the result though, since you don't have
cleartext-password stored in LDAP.
> What puzzles me is the following comment in the authenticate section that seems
> to warn me not to do what I have done ("EAP wont'work"):
> # Uncomment it if you want to use ldap for authentication
> #
> # Note that this means "check plain-text password against
> # the ldap database", which means that EAP won't work,
> # as it does not supply a plain-text password.
AFAIK that section refers to EAP-PEAP-MSCHAPv2, the most commonly-used EAP type.
See http://wiki.freeradius.org/Protocol%20Compatibility
regardless whether you use Auth-Type or not, you still will only be
able to use PAP, TTLS-PAP, or EAP-GTC as those are the ones that
provide user password in clear text.
--
Fajar
More information about the Freeradius-Users
mailing list