Yet another Freeradius+openldap eap-ttls pap issue
Work
piepoli.antonio at gmail.com
Thu Nov 28 16:13:24 CET 2013
Hello Alan thanks for the reply
I will try to recap how the whole process should perform -IMHO -.
There are two virtual servers:
-default
-inner-tunnel
the default should autenticate clients using the PAP method (for vpn
remote access) and will be the responsible to the creation and
maintenance of the TLS tunnel with the supplicant (for eap ttls pap).
In the TLS tunnel the supplicant will perform the PAP that will be
authenticated by the inner-tunnel virtual server.
Since I'm using an openldap repository the PAP method is performed this
way: the freeradius binds to the ldap server as admin(or any
administrator user) and looks for the username and password of the
supplicant and performs the password comparison (eventually using the
hash method specified in the userPassword attribute). Is this correct?
I've read online that there is the "oracle" mode to authenticate users
against ldap. If I'm not wrong the oracle mode would still be fine for
PAP even if it is a bit less powerful.
Both default and inner PAP authentication works great (and perform the
same operations according to the debug).
Of course I've read the debug output from the previous test but I don't
know where to look for the "guilty" line (since it's not a default
config but someone else had worked a bit).
If the analysis it is correct I would expect that the eap module changes
the Auth-Method but I can't see any ldap line in the eap.conf.
Thanks
Il 28/11/2013 14:58, Alan DeKok ha scritto:
> Work wrote:
>> I think I've successfullyconfigured freeradius for the pap
>> authentication with openldap since the radtest returns ok.
> Read raddb/sites-available/inner-tunnel. It describes how to test the
> *inner* portion of EAP. You should test that before going to the full
> EAP tests.
>
>> is this ugly? My company does not want to add radiuschema to the users.
> It's fine.
>
>> These are the configs:
> We don't want the configs. They're not helpful.
>
>> the debug from radius is:
> Helpful.
>
>> [ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items
> Which seems OK.
>
>> Found Auth-Type = LDAP
>> +- entering group LDAP {...}
>> [ldap] Attribute "User-Password" is required for authentication.
>> You seem to have set "Auth-Type := LDAP" somewhere.
>> THAT CONFIGURATION IS WRONG. DELETE IT.
>> YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
> What part of that message is unclear?
>
>> Thank you :), hope I'm not missing somithing stupid, I've read a lot of
>> documentation here and there.
> Reading the debug output helps. Don't force "Auth-Type := ldap". The
> default configuration does NOT do this. So the only way it happens is
> if you changed the configuration to do this.
>
> Delete that, and it will work.
>
>> ps. password on the LDAP are stored in hash form.
> Which means you can only use EAP-TTLS / PAP. All other EAP types will
> *not* work.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list