Radius Testing. EAP-TTLS, (GTC - PAP) SSHA Password

Alan DeKok aland at deployingradius.com
Wed Mar 28 13:53:35 CEST 2018

On Mar 28, 2018, at 7:34 AM, Mitch Sullivan <mitch.sullivan at swarm64.com> wrote:
> I've been rolling out an instance of freeradius in our environment. The documentation has been terrific and this mailing list also very helpful very helpful

  That's good to hear.

> I'm trying to use EAP - TTLS for authentication. I can bind to our IPA server without issue. I made a testing environment and was able to get accept packets without issue. However, while trying to test self-signed certificates in our live environment I encounter issue with what looks like problems with hashed passwords. (I think IPA uses salted MD5 hash passwords by default, but our environment uses SSHA1 passwords due to a migration from openLDAP).

  FreeRADIUS can handle any common password hashing mechanism.

> My implementation steps are.
> Install freeradius and freeradius ldap
> remove testing certs and generate self signed certs
> edit ldap module to bind to our IPA
> edit EAP module to set type to TTLS, input certificate info, and set TTLS tunnel type to GTC
> add Wifi AP to clients.conf

  That's good...

> below is the output from debug mode. I've blanked out any company information for security purposes.
> ...
> (6) server inner-tunnel {
> ...
> rlm_ldap (ldap): Reserved connection (0)
> (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (6) ldap:    --> (uid=PRIVATE)
> (6) ldap: Performing search in "PRIVATE" with filter "(PRIVATE)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: User object found at DN "uid=(PRIVATE)"
> (6) ldap: Processing user attributes
> (6) ldap: control:Password-With-Header += '{SSHA}h5MDNNZSAO+XIU+/xk/oLfupxBPpbBMjLs7WXA=='

  That's good.

> (6) eap_gtc: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6) eap_gtc:   Auth-Type PAP {
> (6) pap: Login attempt with password
> (6) pap: Comparing with "known-good" SSHA-Password
> (6) pap: ERROR: SSHA digest does not match "known good" digest
> (6) pap: Passwords don't match

  And that's the problem.

  The client has entered the wrong password.

  Use the right password and it will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list