Cross platform secure login on wpa2
henti at geekware.co.za
Wed Dec 14 22:36:18 CET 2016
On 14 December 2016 at 16:46, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Wed, Dec 14, 2016 at 04:29:04PM +0000, Henti Smith wrote:
> > Next I used the Edoroam freeradius for auth against kerberos guide on
> > https://www.eduroam.us/node/90 to setup kerberos authentication.
> That says use FreeRADIUS version 2. Use version 3 instead, v2 is
I'll test with version 3 tomorrow.
> > ./rad_eap_test -H localhost -S testing123 -u kerberos-test -p secret -P
> > 1812 -e PEAP -m WPA-EAP
> Noting that's PEAP, not TTLS.
With -e TTLS, same result.
> > However if I remove the local user and add "DEFAULT Auth-Type = Kerberos"
> > it stops working.
> Well yes, Auth-Type in the outer isn't Kerberos, it's EAP.
> Documentation everywhere says don't touch Auth-Type yourself. It
> says that for a reason.
I did use the guide at https://www.eduroam.us/node/90 which did state to
add it. I've removed it.
> > When I then test without EAP, using
> > radtest kerberos-test secret localhost 0 testing123
> > It's working.
> Because you set Auth-Type to Kerberos.
As per above, removed and now neither methods work.
> > What am I missing or not getting about getting them to work together to
> > allow users to log into the wireless with existing user/pass but
> encrypted ?
> Don't touch Auth-Type. FreeRADIUS can generally figure it out on
> its own.
> And if you're then still stuck, post a full debug output from
> 'radiusd -X' to the list.
> eapol_test from the wpasupplicant project is your friend here for
> testing EAP-TTLS/PAP.
Thanks for the heads up, will try again. the rad_eap_test is a nagios
wrapped around eapol_test.
More information about the Freeradius-Users