Working With EAP-TTLS, and LDAP

Martin Gignac martin.gignac at gmail.com
Tue Mar 26 14:33:18 CET 2019 

Nate, this may or may not help in your case, but we're using TTLS-PAP where
I work for WPA-Enterprise authentication and have successfully configured
various devices (Windows, Linux, macOS, iOS) using the installers generated
on the following site: https://enterprise-wifi.net/. Since you mentioned
issues getting Apple desktops to do TTLS-PAP I thought this might help.

-Martin

On Tue, Mar 26, 2019 at 9:12 AM Nate . <nate2077developer at gmail.com> wrote:

> I think I understand it better now, I've made those changes, and connecting
> an android phone with the required security preferences is working! Now I'm
> struggling to get an Apple desktop to let me choose what protocols to use,
> so I'm working on figuring out why that is now. I've already been contacted
> one on one by 8 other people asking for this exact same setup,
> mac/windows/android environment, with Freeradius using LDAP to authenticate
> via Googles Applet.
>
> I'll update you on what I find.
>
> Thank you for the help,
>
>
> On Fri, Mar 22, 2019 at 4:57 PM Alan Buxey <alan.buxey at gmail.com> wrote:
>
> > hi,
> >
> > >Alan, I'm not quite following you. So you are saying everything should
> be
> > >working or are you re-iterating what Matthew said?
> >
> > no. its not working - as you know - and yes, you need to follow my
> > advice and Matthews.
> >
> > look at your default server - the ldap  parts in authenticate and
> > authorize section. they work for
> > non EAP (the radtest) - so make similar config in the inner-tunnel
> > (which is whats used for EAP)
> >
> > Auth-Type only belongs in certain places...you cannot just stick it
> around.
> >
> > as Alan says, there is a way to directly test the inner-tunnel policy
> > directly without
> > involving EAP (for some types of things and configs) - use its local
> > listener....the high port
> > configured/available to it (18120 or such)
> >
> > alan
> >
> > On Fri, 22 Mar 2019 at 19:35, Nate . <nate2077developer at gmail.com>
> wrote:
> > >
> > > Alan, I'm not quite following you. So you are saying everything should
> be
> > > working or are you re-iterating what Matthew said?
> > >
> > > Matthew, I've added a section to sites-enabled/inner-tunnel. Here's the
> > new
> > > log, I should be adding the update control?
> > > server inner-tunnel {
> > > authenticate {
> > > Auth-Type LDAP {
> > >     if ((ok || updated) && User-Password) {
> > >         update {
> > >             control:Auth-Type := ldap
> > >         }
> > >     }
> > > }
> > > }
> > > }
> > >
> > > Somewhere I remember being instructed that I was supposed to comment
> out
> > > the following in that section...
> > > #       Auth-Type LDAP {
> > > #               ldap
> > > #       }
> > >
> > >
> > >
> > > On Fri, Mar 22, 2019 at 2:33 PM Alan Buxey <alan.buxey at gmail.com>
> wrote:
> > >
> > > > hi,
> > > >
> > > > okay - so you arent looking the password up with LDAP (hence the no
> > > > known password thing) but you are binding to the LDAP
> > > > to check credentials are okay. fine.
> > > >
> > > > so, assuming that the user and password are the same, once thing that
> > > > looks possible is that you dont have the Auth-Type of LDAP
> > > > enabled in your inner-tunnel virtual server (thats the bit that deals
> > > > with the EAP side of the process with your setup) - you have a
> > > > call to ldap enabled in the Authenticate part....but not the other
> > > > half...the Authorization.  your LDAP config is sane - as it works
> with
> > > > the radtest method.... so that should be it.
> > > >
> > > > alan
> > > >
> > > > On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer at gmail.com>
> > wrote:
> > > > >
> > > > > I thought I had attached them, I'm sorry... I'm running through the
> > test
> > > > > again, and this time I'll make it super clearer which tests are
> which
> > > > too.
> > > > >
> > > > > Please don't yell at me, I'm doing my best and it's an extremely
> > > > stressful
> > > > > time for me. And please understand, I appreciate your help with
> > > > everything.
> > > > > I've double checked. I have attached the startup part of the logs,
> > and
> > > > > separated the two tests. The freeradius_radtest is using the
> > following
> > > > > command:
> > > > >
> > > > > freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0
> > testing123
> > > > > Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812
> > length 76
> > > > > User-Name = "ldap_user"
> > > > > User-Password = "ldap_pass"
> > > > > NAS-IP-Address = 192.168.16.111
> > > > > NAS-Port = 0
> > > > > Message-Authenticator = 0x00
> > > > > Cleartext-Password = "ldap_pass"
> > > > > Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0
> > length 20
> > > > >
> > > > > So I can see here that the LDAP Module is functioning properly.
> > > > >
> > > > >
> > > > > On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <
> > aland at deployingradius.com>
> > > > > wrote:
> > > > >
> > > > > > On Mar 21, 2019, at 10:57 AM, Nate . <
> nate2077developer at gmail.com>
> > > > wrote:
> > > > > > >
> > > > > > > I have been dealing a few things, so this got delayed,
> > apologies. I
> > > > am
> > > > > > > still unclear on why I am unable to connect via the
> EAPTTLS-PAP.
> > I
> > > > have
> > > > > > > reviewed the log many times and I don't really understand it.
> > > > > >
> > > > > >   Then post it here as suggested in the "man" pages, web pages,
> > and in
> > > > the
> > > > > > email you get when you join the list.
> > > > > >
> > > > > >   How do you expect us to help you when you give us zero
> > information?
> > > > > >
> > > > > > > I noticed a
> > > > > > > part of the authentication where it tries the LDAP, binds, and
> > then
> > > > > > theres
> > > > > > > a part where it says "if ((ok || updated) && User-Password)  ->
> > > > FALSE"
> > > > > > > where it is true on the radtest.
> > > > > >
> > > > > >   English descriptions are bad.  Post the debug output.  It will
> be
> > > > much,
> > > > > > much, faster to solve the problem.
> > > > > >
> > > > > > > I'm felt certain it's the User-Password
> > > > > > > missing or something, but I don't understand why it would be
> > > > missing. I
> > > > > > > noticed the "(0)   User-Password = " does not appear at the top
> > of
> > > > the
> > > > > > > connection log like the radtest either. Though, on the "Flat
> file
> > > > user
> > > > > > > credentials" from my previous email, you can see it is also not
> > > > listed at
> > > > > > > the top, so maybe it's not that.
> > > > > >
> > > > > >   <sigh>  Vague descriptions of problems are an utter waste of
> > > > everyones
> > > > > > time.
> > > > > >
> > > > > >   Post the debug log.  Read the documentation.  I've been saying
> > this
> > > > for
> > > > > > 20 years, and it is getting tiring.
> > > > > >
> > > > > >   Alan DeKok.
> > > > > >
> > > > > >
> > > > > > -
> > > > > > List info/subscribe/unsubscribe? See
> > > > > > http://www.freeradius.org/list/users.html
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list