>I use FR 2.1.1 for WPA authentication, using TTLS+MSCHAPv2 and LDAP to >store users and passwords (in LM/NT hash format). I tried several >configurations: > >Configuration 1: >- no changes in sites-enabled/default; >- in sites-enabled/inner-tunnel uncommented "ldap" in authorize and >"Auth-Type LDAP" in authenticate. >Result: users get access even with an incorrect password. Why? >
That shouldn't happen. When thing don't work as expected - debug (radiusd -X). Auth-Type LDAP shouldn't be used unless you have done something else as well. >Configuration 2: >- in sites-enabled/default uncommented "ldap" in authorize and >"Auth-Type LDAP" in authenticate; >- no changes in sites-enabled/inner-tunnel. >Result: users aren't authenticated. > That's as expected. Authentication is handled by inner-tunnel and no password is available since ldap is commented out in original settings. >Configuration 3: >- in sites-enabled/default uncommented "Auth-Type LDAP" in authenticate; You can leave that out too. >- in sites-enabled/inner-tunnel uncommented "ldap" in authorize. >Result: it seems to work correctly, users get access only with a correct >password. > That's the correct way. >I can't understand well the flow of the process between the two virtual >servers :( > In your case default virtual server handles creation of TLS tunnel while inner-tunnel server handles mschap authentication (what is being sent inside the tunnel - hence the name). You need to provide password only in the inner-tunnel server. Server should set Auth-Type to mschap on it's own when it detects mschap attributes in inner-tunnel request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
