Stefan Winter wrote: > You need to differentiate two parts of the link: a) the data that is passed > between the client device and the RADIUS server and b) the backend > communication between RADIUS server and LDAP. > > a) is encrypted when using EAP-TTLS > b) may or may not be encrypted, depending on your settings in the RADIUS > server. >
Hi Stefan, Thanks for the quick reply. a) is my concern, b) is not an issue. As i said in the original mail (or at least i meant to!) there is a replica of our ldap server running on the same machine as our freeradius server. It binds to the loopback device only and as such there's no real point in encrypting traffic. >> Originally i had hoped to use some sort of >> web-redirect-to-an-authentication-page system like you sometimes see in >> hotels but i can't find anything about that (any information welcome). > > Try googling for "captive portal". > Thanks - just didn't know the name of it! >> After reading around, the best form of authentication i can see would be >> eap-ttls with pap as the inner protocol. I believe (from comments in the >> radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now, > > There is a chance that you could, but using MD5 kindof sucks. And it might be > non-trivial to set up. > As i understand it, if ttls is working correctly, it should adequately protect my username/password no matter what inner protocol i use. So, PAP should be fine, right? >> i've set it up in a way that appears to be mostly right and i *can* >> authenticate with my username/password in ldap but doing a tcpdump on >> the radius server worries me. > > You should see lots of RADIUS packets going between your server and the > client > (switch/access point) with encrypted payload in the attribute "EAP-Message". > Ah.It would seem my original tcpdump trunkated the packets so i was missing some of the attributes. By setting -s 0, i now get the full RADIUS packets. The EAP-Message doesn't appear to be encrypted on the initial packet from the ap to the server. Inside i see Type and Identity (containing my username. The username is also in the User-Name attribute) After that, all the EAP-Message packets have Type EAP-TTLS [Funk], which i suppose is pretty funky from ethereal's point of view. But it's good news to me. I can look at the SSL fields and it appears that everything is good. So i'm feeling much happier. But i'm *not* happy with the fact that my username is going in the clear. Is there anything i can do about this? This potentially gives an attacker information he can use to try and brute force or even just passively get a list of users... >> On the server in /var/log/radiusd.log i see the following: >> >> Wed Jul 5 16:10:32 2006 : Error: TLS_accept:error in SSLv3 read >> client certificate A >> Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error >> error:00000000:lib(0):func(0):reason(0) >> Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error >> error:00000000:lib(0):func(0):reason(0) > > Which is completely normal. It means that the *client* is not sending a > certificate. TTLS makes him send username and password instead of a > certificate, so nothing to see here. Please move along. > Excellent - good news. > Good boy. And it seems like everything worked out beautifully. Now secure > your > backend communication with TLS as well if you are really concerned about > that, and you're done. > As i say, not an issue. No encrypted packets on the network between the radius server and the ldap server as they're on the same host, communicating over the loopback interface >> I am a little lost and don't know what is best practice. Any advice >> would be appreciated. I've tried googling but haven't found a good guide >> that matches our setup.I can, of course, give more information if needed. > > Really? WPA2 is quite a wide-spread scenario. And using LDAP as backend is > quite common as well. > But (imho) all the write-ups dont really explain what's going on. Myself, i don't understand what the authorize section and authenticate sections are supposed to do. Could somebody talk to the radius server directly without encryption using my settings? Can i specify what kinds of authentication i'll accept from users compared to the types of backend authentication i can do? I just find it hard to get my head around it... Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
