freeradius using linux user passwd

Matthew Newton mcn4 at leicester.ac.uk
Wed Jul 10 14:07:02 CEST 2013


Hi,

On Tue, Jul 09, 2013 at 10:58:15AM -0700, Julian Macassey wrote:
> On 2013-07-09 at 10:18, Matthew Newton (mcn4 at leicester.ac.uk) wrote:
> > Try adding the following to the *top* of your users file:
> > 
> > evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0
> 
> When I use the users file, it works. In fact, every possible auth
> protocol works:
...
> 	I will persevere. I have seen that in the 1.* release
> there was an "Auth-Type System", which was for system username
> password. 

Auth-Type System is obsolete and likely won't do what you want.

What you want can be done, but you need to fixup some things.

First to note (as said before) and importantly, your client is
configured to use PEAP/MS-CHAPv2. That *won't* work with
/etc/password, full stop. There is no way to get that to work, so
there's no point looking any more.

If you change your client to use EAP-TTLS/PAP, then you should be
able to get it to work. This is because the client will then send
the cleartext password (inside the TTLS encrypted tunnel) which
can be used to check against the /etc/shadow hash.

In your modules directory, configure 'passwd' to read the
/etc/passwd or /etc/shadow file appropriately.
Make sure that freeradius has permission to read shadow, which is
normally restricted.

In your sites-enabled/inner-tunnel file, add 'etc_passwd' (or
whatever the name of the passwd module is in modules/passwd) into
the authorize section near the top (definitely above 'pap').

In your eap.conf you can edit default_eap_type to be 'ttls' to
save a bit of negotiation time when connecting, and then in the
ttls{} section set default_eap_type to pap.

Then watch the debug output and make sure that the client is doing
EAP-TTLS/PAP. If not, fix the client as otherwise there's no
chance of getting it to work. Macs and Linux should be OK.

You might have problems if the system is using the newer $n$....
type passwords. It will be possible to get working, but might
be harder to check if the password is OK. Try the above and send
full debug output if it's still failing.

Cheers

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list