eap-ttls + PAP using Crypt-Password obtained by ldap

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

eap-ttls + PAP using Crypt-Password obtained by ldap

florian.prester
Hi,

ist it possible to authenticate an user with eap-ttls using PAP with an
Crypt-Password?
The Crypt-Password is obtained by an LDAP-Server.

I can do eap-ttls using MD5/PAP with an cleartext Password.

thanks
Florian


--
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany

Tel.: +499131 8527813

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

Vladimir Vuksan
Florian Prester wrote:

> ist it possible to authenticate an user with eap-ttls using PAP with
> an Crypt-Password?
> The Crypt-Password is obtained by an LDAP-Server.
>
> I can do eap-ttls using MD5/PAP with an cleartext Password.

Yes you can, however you have to configure your clients to use TTLS+PAP.
Otherwise they will default to TTLS+MSCHAPv2 which will not work with
crypted password. Here is a HOWTO on configuring TTLS+PAP

http://vuksan.com/linux/dot1x/wpa-client-config.html

Vladimir
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

florian.prester
Vladimir Vuksan wrote:

> Florian Prester wrote:
>
>> ist it possible to authenticate an user with eap-ttls using PAP with
>> an Crypt-Password?
>> The Crypt-Password is obtained by an LDAP-Server.
>>
>> I can do eap-ttls using MD5/PAP with an cleartext Password.
>
>
> Yes you can, however you have to configure your clients to use
> TTLS+PAP. Otherwise they will default to TTLS+MSCHAPv2 which will not
> work with crypted password. Here is a HOWTO on configuring TTLS+PAP
>
> http://vuksan.com/linux/dot1x/wpa-client-config.html
>
> Vladimir
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

Thanks Vladimir.

I know your howto, it is very helpfull.
I configured as you told, but I still get an error at the freeradius:
....
Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: looking for reply items in
directory...
Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: user unrz148 authorized to
use remote access
Thu Aug 11 17:06:02 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Aug 11 17:06:02 2005 : Debug:   modsingle[authorize]: returned from
ldap (rlm_ldap) for request 3
Thu Aug 11 17:06:02 2005 : Debug:   modcall[authorize]: module "ldap"
returns ok for request 3
Thu Aug 11 17:06:02 2005 : Debug: modcall: group authorize returns
updated for request 3
Thu Aug 11 17:06:02 2005 : Debug:   rad_check_password:  Found Auth-Type pap
Thu Aug 11 17:06:02 2005 : Debug: auth: type "PAP"
Thu Aug 11 17:06:02 2005 : Debug:   Processing the authenticate section
of radiusd.conf
Thu Aug 11 17:06:02 2005 : Debug: modcall: entering group Auth-Type for
request 3
Thu Aug 11 17:06:02 2005 : Debug:   modsingle[authenticate]: calling pap
(rlm_pap) for request 3
Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute "Password" is
required for authentication.
Thu Aug 11 17:06:02 2005 : Debug:   modsingle[authenticate]: returned
from pap (rlm_pap) for request 3
Thu Aug 11 17:06:02 2005 : Debug:   modcall[authenticate]: module "pap"
returns invalid for request 3
Thu Aug 11 17:06:02 2005 : Debug: modcall: group Auth-Type returns
invalid for request 3
Thu Aug 11 17:06:02 2005 : Debug: auth: Failed to validate the user.
...

The Crypted-Password is working and it is available as Crypt-Password.
(Tested with ntradping).
I added "DEFAULT                Auth-Type := pap" at the end of the
users-file, without it wants to use ldap-authentication!

Also it works with an local user (defined in the users-file) and a
Crypt-Password!

Any hints?

thanks
Florian


--
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany

Tel.: +499131 8527813

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

Thor Spruyt
Florian Prester wrote:
> The Crypted-Password is working and it is available as Crypt-Password.
> (Tested with ntradping).
> I added "DEFAULT                Auth-Type := pap" at the end of the
> users-file, without it wants to use ldap-authentication!

You should set Auth-Type := pap
See http://vuksan.com/linux/dot1x/802-1x-LDAP.html

--
Groeten, Regards, Salutations,

Thor Spruyt
M: +32 (0)475 67 22 65
E: [hidden email]
W: www.thor-spruyt.com

www.salesguide.be
www.telenethotspot.be

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

Alan DeKok
In reply to this post by florian.prester
Florian Prester <[hidden email]> wrote:
> I configured as you told, but I still get an error at the freeradius:

  You haven't shown the contents of the packet.

> Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute "Password" is
> required for authentication.

  You've told the server to do PAP authentication, but there's no
password in the request.  Don't do that.

> I added "DEFAULT                Auth-Type := pap" at the end of the
> users-file, without it wants to use ldap-authentication!

  Which ALSO forces the server to do PAP when it receives an EAP
request.

  Solution:

  1) read "man users"
  2) change := to =

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

Thor Spruyt
In reply to this post by Thor Spruyt
Thor Spruyt wrote:
> Florian Prester wrote:
>> The Crypted-Password is working and it is available as
>> Crypt-Password. (Tested with ntradping).
>> I added "DEFAULT                Auth-Type := pap" at the end of the
>> users-file, without it wants to use ldap-authentication!
>
> You should set Auth-Type := pap
I mean SHOULDN'T!!!

> See http://vuksan.com/linux/dot1x/802-1x-LDAP.html

--
Groeten, Regards, Salutations,

Thor Spruyt
M: +32 (0)475 67 22 65
E: [hidden email]
W: www.thor-spruyt.com

www.salesguide.be
www.telenethotspot.be

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

florian.prester
In reply to this post by Alan DeKok
Alan DeKok wrote:

>Florian Prester <[hidden email]> wrote:
>  
>
>>I configured as you told, but I still get an error at the freeradius:
>>    
>>
>
>  You haven't shown the contents of the packet.
>
>  
>
>>Thu Aug 11 17:06:02 2005 : Auth: rlm_pap: Attribute "Password" is
>>required for authentication.
>>    
>>
>
>  You've told the server to do PAP authentication, but there's no
>password in the request.  Don't do that.
>
>  
>
>>I added "DEFAULT                Auth-Type := pap" at the end of the
>>users-file, without it wants to use ldap-authentication!
>>    
>>
>
>  Which ALSO forces the server to do PAP when it receives an EAP
>request.
>
>  Solution:
>
>  1) read "man users"
>  2) change := to =
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>
ok, after I set ":=" to "=" the radius is trying to do EAP with md5.
So I think the wpa_supplicant is telling the radius to do so. Which of
course need an Password-attribute.

So back again to the wpa_supplicant-configuration, how do I configure
EAP-TTLS with PAP as inner authentication?

thanks
for all the help.

Florian Prester



--
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany

Tel.: +499131 8527813

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

Alan DeKok
Florian Prester <[hidden email]> wrote:
> ok, after I set ":=" to "=" the radius is trying to do EAP with md5.
> So I think the wpa_supplicant is telling the radius to do so. Which of
> course need an Password-attribute.

  Yes.

> So back again to the wpa_supplicant-configuration, how do I configure
> EAP-TTLS with PAP as inner authentication?

  Ask on a WPA supplicant list.

  I haven't used it, so I know nothing about it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html