Using privacyIDEA to authenticate to WiFi with 2FA/Token

[Alan DeKok]

On Nov 26, 2016, at 7:02 AM, Muenz, Michael <m.muenz at spam-fetish.org> wrote:
> 
> I have a running setup with privacyIDEA to authenticate VPN users via Token.
> There's a perl module redirecting the token stuff to the local webserver doing their magic.
> In order to to run this setup I have to set Default Auth Type to perl in users file.

  You need to give a password to Perl.  That's the only authentication method which will work.

> Now I have a customer asking to extend WiFi security with tokens.
> My thought was no big deal, but there's EAP! :)
> 
> After some google it was clear to use TTLS and PAP. First problem, when I setup my AP's for radius and Default Auth is perl, EAP won't get called.

  Yes... telling the server to not do EAP means it doesn't do EAP>

> OK, then I set Default Auth to EAP and bang, EAP starts and everything seems to run fine in inner-tunnel.
> But then I want to bump perl in authenticate section to give the request to the web server.

  OK, that works for PAP.  Not much else.

> What now happens is, that perl won't get recognized and instead again Defaut Auth is chosen and it tries to do MD5.

  EAP-MD5, which isn't PAP.

> I played around with ttls and md or gtc, inserted perl in authorized section and so on, nothing worked.

  Trying random things isn't a good way to solve problems.  It's best to understand how things work.

  In this case, the EAP module handles the outer tunnel.  If the inner-tunnel authentication contains PAP, you can put the "perl" module into the authenticate section, as:

authenticate {
	...

	Auth-Type PAP {
		perl
	}

	...
}

  Which is probably the simplest thing to do.  EAP-GTC will work, too, but why do that when you have PAP?

  As for the other authentication methods, see:

http://deployingradius.com/documents/protocols/compatibility.html

  You just cannot use anything other than PAP with Perl.  At least, in the way you want to do.

  Alan DeKok.