Working With EAP-TTLS, and LDAP

Alan Buxey alan.buxey at gmail.com
Fri Mar 22 21:57:33 CET 2019 

hi,

>Alan, I'm not quite following you. So you are saying everything should be
>working or are you re-iterating what Matthew said?

no. its not working - as you know - and yes, you need to follow my
advice and Matthews.

look at your default server - the ldap  parts in authenticate and
authorize section. they work for
non EAP (the radtest) - so make similar config in the inner-tunnel
(which is whats used for EAP)

Auth-Type only belongs in certain places...you cannot just stick it around.

as Alan says, there is a way to directly test the inner-tunnel policy
directly without
involving EAP (for some types of things and configs) - use its local
listener....the high port
configured/available to it (18120 or such)

alan

On Fri, 22 Mar 2019 at 19:35, Nate . <nate2077developer at gmail.com> wrote:
>
> Alan, I'm not quite following you. So you are saying everything should be
> working or are you re-iterating what Matthew said?
>
> Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the new
> log, I should be adding the update control?
> server inner-tunnel {
> authenticate {
> Auth-Type LDAP {
>     if ((ok || updated) && User-Password) {
>         update {
>             control:Auth-Type := ldap
>         }
>     }
> }
> }
> }
>
> Somewhere I remember being instructed that I was supposed to comment out
> the following in that section...
> #       Auth-Type LDAP {
> #               ldap
> #       }
>
>
>
> On Fri, Mar 22, 2019 at 2:33 PM Alan Buxey <alan.buxey at gmail.com> wrote:
>
> > hi,
> >
> > okay - so you arent looking the password up with LDAP (hence the no
> > known password thing) but you are binding to the LDAP
> > to check credentials are okay. fine.
> >
> > so, assuming that the user and password are the same, once thing that
> > looks possible is that you dont have the Auth-Type of LDAP
> > enabled in your inner-tunnel virtual server (thats the bit that deals
> > with the EAP side of the process with your setup) - you have a
> > call to ldap enabled in the Authenticate part....but not the other
> > half...the Authorization.  your LDAP config is sane - as it works with
> > the radtest method.... so that should be it.
> >
> > alan
> >
> > On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer at gmail.com> wrote:
> > >
> > > I thought I had attached them, I'm sorry... I'm running through the test
> > > again, and this time I'll make it super clearer which tests are which
> > too.
> > >
> > > Please don't yell at me, I'm doing my best and it's an extremely
> > stressful
> > > time for me. And please understand, I appreciate your help with
> > everything.
> > > I've double checked. I have attached the startup part of the logs, and
> > > separated the two tests. The freeradius_radtest is using the following
> > > command:
> > >
> > > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0 testing123
> > > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812 length 76
> > > User-Name = "ldap_user"
> > > User-Password = "ldap_pass"
> > > NAS-IP-Address = 192.168.16.111
> > > NAS-Port = 0
> > > Message-Authenticator = 0x00
> > > Cleartext-Password = "ldap_pass"
> > > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
> > >
> > > So I can see here that the LDAP Module is functioning properly.
> > >
> > >
> > > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <aland at deployingradius.com>
> > > wrote:
> > >
> > > > On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer at gmail.com>
> > wrote:
> > > > >
> > > > > I have been dealing a few things, so this got delayed, apologies. I
> > am
> > > > > still unclear on why I am unable to connect via the EAPTTLS-PAP. I
> > have
> > > > > reviewed the log many times and I don't really understand it.
> > > >
> > > >   Then post it here as suggested in the "man" pages, web pages, and in
> > the
> > > > email you get when you join the list.
> > > >
> > > >   How do you expect us to help you when you give us zero information?
> > > >
> > > > > I noticed a
> > > > > part of the authentication where it tries the LDAP, binds, and then
> > > > theres
> > > > > a part where it says "if ((ok || updated) && User-Password)  ->
> > FALSE"
> > > > > where it is true on the radtest.
> > > >
> > > >   English descriptions are bad.  Post the debug output.  It will be
> > much,
> > > > much, faster to solve the problem.
> > > >
> > > > > I'm felt certain it's the User-Password
> > > > > missing or something, but I don't understand why it would be
> > missing. I
> > > > > noticed the "(0)   User-Password = " does not appear at the top of
> > the
> > > > > connection log like the radtest either. Though, on the "Flat file
> > user
> > > > > credentials" from my previous email, you can see it is also not
> > listed at
> > > > > the top, so maybe it's not that.
> > > >
> > > >   <sigh>  Vague descriptions of problems are an utter waste of
> > everyones
> > > > time.
> > > >
> > > >   Post the debug log.  Read the documentation.  I've been saying this
> > for
> > > > 20 years, and it is getting tiring.
> > > >
> > > >   Alan DeKok.
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list