TLS-EAP with Yubikey module

Alan DeKok aland at deployingradius.com
Wed May 23 18:49:54 CEST 2018


On May 23, 2018, at 11:51 AM, Jeroen van Kessel <krabbedoelie at hotmail.com> wrote:
> 
> I am trying to setup FreeRADIUS 3.0.12 ARM (Pi3) with Yubikeys to authenticate on the 802.1X TP-Link EAP245 access point.
> 
> Installed:
> latest raspbian, freeradius plus freeradius-yubikey
> 
> Local radtest authentication works through PAP. However, the access point is establishing an TLS-EAP connection with FreeRADIUS. The YubiKey does not process the YubiKey one time password according to the debugger:
> 
> (1) yubikey: No cleartext password in the request. Can't do Yubikey authentication

  That's pretty clear.

> Is TLS-EAP supported with the YubiKey module on freeRADIUS? If so, what am I doing wrong? 

  Using correct terminology helps.  It's EAP-TLS, not TLS-EAP.

  You can use Yubikey, so long as there's a User-Password in the packet.  This means EAP-TTLS, with PAP inside of the tunnel.

  It doesn't mean PEAP with MS-CHAP.

> My users file:

  Please read: http://wiki.freeradius.org/list-help

  Giving random information isn't useful.  Copying default configuration files to the list isn't useful.

  Reading the debug output *is* useful.

> (7) mschap: Found Cleartext-Password, hashing to create NT-Password
> (7) mschap: Found Cleartext-Password, hashing to create LM-Password
> (7) mschap: Creating challenge hash with username: bob
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect

  That's about as clear as you can get.

  Alan DeKok.




More information about the Freeradius-Users mailing list