Authentication using LDAP for 802.1x

Matthew Newton mcn4 at leicester.ac.uk
Wed Jun 19 15:16:58 CEST 2013 

On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote:
> On 19.06.2013 14:11, Marco Streich wrote:
> > We have deployed FreeRADIUS on OS X before, but our
> > configuration was rather ugly. What we would do is
> > authenticate users locally, having the machine attached to our
> > OpenDirectory server directly using the Connect Network
> > Account Server functionality provided by OS X.

> I will make it short and easy.
> 
> You can't do LDAP authentication with 802.1x. EAP needs the password of
> the user in cleartext. if it's not in your ldap, you're screwed.

Not entirely true.

With PAP (which is what radtest is doing) then you can work
without a cleartext password as auth is (generally) based on a
ldap bind.

With EAP-TTLS/PAP, you can also work with just the hash in ldap,
as (same as clear PAP) you get the password from the client to do
a bind with.

With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext
password from ldap - auth is done by checking this in FreeRADIUS,
not by a bind to ldap.


> > [ldap] login attempt by "a4" with password "whatever"
> > [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
> >   [ldap] (re)connect to ldap.hopro.edu:389, authentication 1
> >   [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389
> >   [ldap] waiting for bind result ...
> >   [ldap] Bind was successful
> > [ldap] user a4 authenticated successfully
> > ++[ldap] returns ok

> This works because you're doing PAP. with radtest the user password is
> sent in cleartext. so YES you can authenticate with ldap because you can
> BIND to the ldap with the provided password.
> 
> you don't have this password with 802.1x/EAP. you work only with
> challenges, hash and keys.

Apple OS X can do EAP-TTLS/PAP as far as I am aware (native
Windows < 8 can't), so this should work. I don't recognise the
error you're getting, though - it looks like the client gave up
and sent an empty packet.

Note you don't need ldap configured in the outer for 802.1X to
work - the outer is just doing EAP. It's the inner that will need
the ldap modules.


Some other comments -

Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.

Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf

Save yourself some LDAP lookups by removing ldap from the outer.


Cheers

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list