TLS-EAP with Yubikey module
Alan DeKok
aland at deployingradius.com
Wed May 23 18:49:54 CEST 2018
On May 23, 2018, at 11:51 AM, Jeroen van Kessel <krabbedoelie at hotmail.com> wrote:
>
> I am trying to setup FreeRADIUS 3.0.12 ARM (Pi3) with Yubikeys to authenticate on the 802.1X TP-Link EAP245 access point.
>
> Installed:
> latest raspbian, freeradius plus freeradius-yubikey
>
> Local radtest authentication works through PAP. However, the access point is establishing an TLS-EAP connection with FreeRADIUS. The YubiKey does not process the YubiKey one time password according to the debugger:
>
> (1) yubikey: No cleartext password in the request. Can't do Yubikey authentication
That's pretty clear.
> Is TLS-EAP supported with the YubiKey module on freeRADIUS? If so, what am I doing wrong?
Using correct terminology helps. It's EAP-TLS, not TLS-EAP.
You can use Yubikey, so long as there's a User-Password in the packet. This means EAP-TTLS, with PAP inside of the tunnel.
It doesn't mean PEAP with MS-CHAP.
> My users file:
Please read: http://wiki.freeradius.org/list-help
Giving random information isn't useful. Copying default configuration files to the list isn't useful.
Reading the debug output *is* useful.
> (7) mschap: Found Cleartext-Password, hashing to create NT-Password
> (7) mschap: Found Cleartext-Password, hashing to create LM-Password
> (7) mschap: Creating challenge hash with username: bob
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
That's about as clear as you can get.
Alan DeKok.
More information about the Freeradius-Users
mailing list