On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote: > On 19.06.2013 14:11, Marco Streich wrote: > > We have deployed FreeRADIUS on OS X before, but our > > configuration was rather ugly. What we would do is > > authenticate users locally, having the machine attached to our > > OpenDirectory server directly using the Connect Network > > Account Server functionality provided by OS X.
> I will make it short and easy. > > You can't do LDAP authentication with 802.1x. EAP needs the password of > the user in cleartext. if it's not in your ldap, you're screwed. Not entirely true. With PAP (which is what radtest is doing) then you can work without a cleartext password as auth is (generally) based on a ldap bind. With EAP-TTLS/PAP, you can also work with just the hash in ldap, as (same as clear PAP) you get the password from the client to do a bind with. With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext password from ldap - auth is done by checking this in FreeRADIUS, not by a bind to ldap. > > [ldap] login attempt by "a4" with password "whatever" > > [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu > > [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 > > [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to > > ldap.hopro.edu:389 > > [ldap] waiting for bind result ... > > [ldap] Bind was successful > > [ldap] user a4 authenticated successfully > > ++[ldap] returns ok > This works because you're doing PAP. with radtest the user password is > sent in cleartext. so YES you can authenticate with ldap because you can > BIND to the ldap with the provided password. > > you don't have this password with 802.1x/EAP. you work only with > challenges, hash and keys. Apple OS X can do EAP-TTLS/PAP as far as I am aware (native Windows < 8 can't), so this should work. I don't recognise the error you're getting, though - it looks like the client gave up and sent an empty packet. Note you don't need ldap configured in the outer for 802.1X to work - the outer is just doing EAP. It's the inner that will need the ldap modules. Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. <[email protected]> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <[email protected]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
