PAM authentication not working
Phil Mayers
p.mayers at imperial.ac.uk
Sat Feb 9 11:31:59 CET 2013
On 02/08/2013 11:42 PM, Jaap Winius wrote:
> Quoting Alan DeKok <aland at deployingradius.com>:
>
>> No. You can't turn off EAP. The client is sending EAP to the server.
>> You need to change the client. And likely you can't, because it
>> *needs* to do EAP.
>
> Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to
> WPA-EAP and it looks like that's my only option. But, if you're correct,
> then how is this supposed to work? You make it sound like a catch-22.
The choice of authentication algorithm (EAP) and any EAP-type are made
client side.
Different EAP types have different requirements, in terms of what data
you need to successfully authenticate a user - see here:
http://deployingradius.com/documents/protocols/compatibility.html
http://deployingradius.com/documents/protocols/oracles.html
PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to
authenticate PAP, and therefore EAP-TTLS/PAP.
Your client is doing EAP-TTLS/EAP-MD5.
You have two choices:
1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able
to authenticate
2. Stop using PAM, and provide the server with the client credentials
in a form compatible with your EAP-type (see 1st URL above)
These are your only options.
More information about the Freeradius-Users
mailing list