Working With EAP-TTLS, and LDAP

Alan Buxey alan.buxey at gmail.com
Thu Mar 21 17:13:04 CET 2019


debug?
have you actually tried EAP-TTLS/PAP - because the previous emails
noted that you were doing MSCHAPv2 - thats EAP-TTLS/MSCHAPv2 -
challenge response...and LDAP
is not an authentication system..its just a lookup database.

alan

On Thu, 21 Mar 2019 at 14:58, Nate . <nate2077developer at gmail.com> wrote:
>
> I have been dealing a few things, so this got delayed, apologies. I am
> still unclear on why I am unable to connect via the EAPTTLS-PAP. I have
> reviewed the log many times and I don't really understand it. I noticed a
> part of the authentication where it tries the LDAP, binds, and then theres
> a part where it says "if ((ok || updated) && User-Password)  -> FALSE"
> where it is true on the radtest. I'm felt certain it's the User-Password
> missing or something, but I don't understand why it would be missing. I
> noticed the "(0)   User-Password = " does not appear at the top of the
> connection log like the radtest either. Though, on the "Flat file user
> credentials" from my previous email, you can see it is also not listed at
> the top, so maybe it's not that.
>
> Thank you for your time,
> Nate
>
> On Fri, Mar 8, 2019 at 3:59 PM Nate . <nate2077developer at gmail.com> wrote:
>
> > I realized my stupidity here. Using PAP, but for some reason only my phone
> > will use PAP, our desktops are not giving me any choice. I found this:
> >
> > https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-server_sites-available-default
> > I had originally followed that in my very first round of trying all of
> > this, but it never got it working.
> >
> > I've also tested connecting using the flat user credentials, it worked! I
> > attached that result too, just in case.
> >
> >
> > On Fri, Mar 8, 2019 at 1:02 PM Nate . <nate2077developer at gmail.com> wrote:
> >
> >> Sorry for the delay. I've updated the files, LDAP is working now, I'm
> >> sorry I didn't catch that part in the configuration, I feel slightly
> >> overwhelmed. Good news though, LDAP is working using "radtest -t pap" and
> >> without the "-t pap".
> >> I've gone ahead and tested via the Wireless controller now, and I am
> >> seeing..
> >> (9) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> >> NT-Password
> >> (9) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> >> LM-Password
> >> and
> >> (9) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
> >> authentication
> >> (9) mschap: ERROR: MS-CHAP2-Response is incorrect
> >>
> >> Now, I know there's a way to map attributes using the LDAP modules
> >> 'update' section, but I have no idea how this works and I also do not know
> >> what googles structure is. So if this is the route I have to take, I'll
> >> have to do a bit of research on that then. I feel like that's what the
> >> problem is here, but at the same time, Authentication via radtest was
> >> successful, so I am having doubts.
> >>
> >> I've attached a full log of me connecting via WIFI for convenience.
> >>
> >> On Fri, Mar 8, 2019 at 12:05 PM Alan DeKok <aland at deployingradius.com>
> >> wrote:
> >>
> >>> On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer at gmail.com> wrote:
> >>> >
> >>> > Ok, duly noted. I've restored the defaults. Migrated settings for
> >>> > certificates, and the LDAP. Now my LDAP isn't working anymore. Where
> >>> am I
> >>> > looking to edit first so that I can begin testing and not accidentally
> >>> jump
> >>> > ahead of myself?
> >>> > I added the flat file user, as many recommend, that's working. "radtest
> >>> > flatuser testpass 127.0.0.1 0 testing123"
> >>> > When I run the test using my LDAP credentials I get "ERROR: No
> >>> Auth-Type
> >>> > found: rejecting the user via Post-Auth-Type = Reject"
> >>>
> >>>   See mods-available/ldap.  It has documentation on how to fix this.
> >>> Look for "Auth-Type".
> >>>
> >>>   You will also need to uncomment the "Auth-Type LDAP" block
> >>> sites-enabled/default, in the "authenticate" section.
> >>>
> >>>   Alan DeKok.
> >>>
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>
> >>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list