Radius Testing. EAP-TTLS, (GTC - PAP) SSHA Password
Alan DeKok
aland at deployingradius.com
Wed Mar 28 13:53:35 CEST 2018
On Mar 28, 2018, at 7:34 AM, Mitch Sullivan <mitch.sullivan at swarm64.com> wrote:
> I've been rolling out an instance of freeradius in our environment. The documentation has been terrific and this mailing list also very helpful very helpful
That's good to hear.
> I'm trying to use EAP - TTLS for authentication. I can bind to our IPA server without issue. I made a testing environment and was able to get accept packets without issue. However, while trying to test self-signed certificates in our live environment I encounter issue with what looks like problems with hashed passwords. (I think IPA uses salted MD5 hash passwords by default, but our environment uses SSHA1 passwords due to a migration from openLDAP).
FreeRADIUS can handle any common password hashing mechanism.
> My implementation steps are.
>
> Install freeradius and freeradius ldap
>
> remove testing certs and generate self signed certs
>
> edit ldap module to bind to our IPA
>
> edit EAP module to set type to TTLS, input certificate info, and set TTLS tunnel type to GTC
>
> add Wifi AP to clients.conf
That's good...
> below is the output from debug mode. I've blanked out any company information for security purposes.
> ...
> (6) server inner-tunnel {
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (6) ldap: --> (uid=PRIVATE)
> (6) ldap: Performing search in "PRIVATE" with filter "(PRIVATE)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: User object found at DN "uid=(PRIVATE)"
> (6) ldap: Processing user attributes
> (6) ldap: control:Password-With-Header += '{SSHA}h5MDNNZSAO+XIU+/xk/oLfupxBPpbBMjLs7WXA=='
That's good.
> (6) eap_gtc: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6) eap_gtc: Auth-Type PAP {
> (6) pap: Login attempt with password
> (6) pap: Comparing with "known-good" SSHA-Password
> (6) pap: ERROR: SSHA digest does not match "known good" digest
> (6) pap: Passwords don't match
And that's the problem.
The client has entered the wrong password.
Use the right password and it will work.
Alan DeKok.
More information about the Freeradius-Users
mailing list