trying to get PAP-inside-TTLS working for PAM

Alan DeKok aland at deployingradius.com
Fri Jan 29 01:37:39 CET 2016


On Jan 28, 2016, at 6:53 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
> 
> I am running freeradius-2.1.12.

  Upgrade.  Please.  That version is over 5 years old.  There are few reasons to use such an old reason.  The only acceptable reason is "it works, and we're not touching the system".

  As soon as you're looking to make changes.. upgrade.

> According to the last post of the following
> thread -
> http://lists.freeradius.org/pipermail/freeradius-users/2013-February/064927.html
> - it is possible to get radius to authenticate against PAM by configuring
> it to use PAP inside of TTLS. The first and final posts of that thread
> provide the configuration that the poster used to get it working.

  PAM is intended to be used once, and never again by an application.  This will likely result in memory leaks inside of the PAM code.  We can't fix that.

> This configuration works perfectly for ssh clients. It works for both ldap
> users and local unix users who ssh in from another linux box. I can see in
> /var/log/auth.log and the radius debug log that the user's verfication code
> is being checked and that their password is being checked against ldap.

  That's something at least.

> But this setup is not working for network devices such as iPad, that are
> connecting to a wireless access point, and trying to login with an ldap
> user.

  Because you forced Auth-Type = PAM.  Don't do that.  The documentation and recommendations for the past DECADE have said don't do that.

  PAM doesn't do 802.1X authentication.   FreeRADIUS has to do that itself.

  You need to set "Auth-Type = PAM" *only* when there's no EAP-Message in the packet.  And, you need to find a way to authenticate users in the "inner-tunnel" virtual server.

  And upgrade.  Please.  And don't use PAM.

  Alan DeKok.




More information about the Freeradius-Users mailing list