EAP-TTLS Not working

Matthew Newton mcn4 at leicester.ac.uk
Fri Sep 2 17:37:52 CEST 2016


On Fri, Sep 02, 2016 at 04:43:39PM +0200, Matthew Pulis wrote:
> thanks for your help. A few questions:
> 
> Setting Phase 2 auth - where? in mods-enabled/eap ?

As others have said.

And on the client.

> When you (Matthew) referred to move "ldap" from the outer
> (sites-enabled/default) to the inner (sites-enabled/inner-tunnel) as well
> are you referring to the LDAP-Group block? .. ie this:
> 
> if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") {
>  update reply {
>  Tunnel-Type := "VLAN",
>  Tunnel-Medium-Type := "802",
>  Tunnel-Private-Group-ID := "12"
>  }

That should probably be in inner post-auth, and update outer.reply.

You need to call "ldap" in the inner to get the password relating
to the inner username (the outer one can be spoofed, so someone
could log in with their own credentials, but spoof someone elses
username and potentially get onto a different VLAN).

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list