First off, I'd like to say thanks in advance to anyone who can help me here.
I've spent the past few days searching the list archives and other sites for
information on how to accomplish this. The overwhelming message from these
searches was that "it should just work" and that "the server will figure out
what to do." Sadly, that's not the case here.
My goals here are straightforward:
-Authorize the user in LDAP if a corresponding entry exists (just checking
against uid, nothing fancy).
-Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports
PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients.
-Authenticate the user's clear-text password via a simple LDAP bind encrypted
via TLS. No userPassword attribute checking here. A simple bind is all.
Using version 1.14.
Here's my eap.conf with comments stripped out:
eap {
default_eap_type = ttls
timer_expire = 10
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
gtc {
challenge = "Password: "
auth_type = PAP
}
tls {
private_key_password = foo
private_key_file = ${raddbdir}/certs/key.pem
certificate_file = ${raddbdir}/certs/cert.pem
CA_file = ${raddbdir}/certs/sf_issuing.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = gtc
}
peap {
default_eap_type = gtc
}
}
Relevant sections of radius.conf are:
ldap {
server = "myserverentry"
basedn = "myDN"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/intCA.pem
tls_require_cert = "demand"
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
suffix
ntdomain
eap
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never
passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to
be detecting that something isn't right with its AAA server and not passing the
request on. If I change the supplicants to use their default settings, the
requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems
to think that something is wrong and presents its certificate instead of my
server's. At one point, I had the clients seeing the server's certificate but I
can't seem to get back in that state. So I don't think my AP is broken, I'm
pretty sure it's my FreeRadius config that's broken. The users file is
unchanged and the proper entries are in clients.
Yes, I've run the server in debug mode (there are no requests coming in).
Thanks,
-richard
____________________________________________________________________________________
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
