> Ralf Paffrath <[EMAIL PROTECTED]> wrote:
> > I'm running a snapshot version of freeradius with EAP/TTLS for authN.
> > My supplicant is SecureW2. Everything works fine as long as I put in the
> > plaintext user-password in "users" configuration file and didn' set
> > Auth-Type, e.g. username User-Password == "blabla".
>
> Ok...
>
> > I absolutely don't like plaintext passwords in some files so I tried
> > freeradius out to use /etc/shadow but with no success.
>
> Plain-text passwords aren't much of a problem from a security
> perspective. They also allow you to do CHAP authentication, which is
> impossible with /etc/passwd.
>
> > Auth-Type := EAP doesn't work:
> > ...
> > auth: type "EAP"
> > modcall: entering group authenticate for request 5
> > rlm_eap: EAP-Message not found
>
> Exactly. Don't set "Auth-Type := EAP". EVER.
>
> > Any idea?
>
> Set Auth-Type to System for the tunneled user, and read the
> debugging output of the server. I note that you did NOT post that
> debugging output, which is the ONLY relevant thing here.
I set Auth-Type to System but no TTLS-tunnel session would be established
and I got the following debugging output:
...
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
rad_check_password: Found Auth-Type System
Warning: Found 2 auth-types on request for user 'HUGO'
auth: type "System"
modcall: entering group authenticate for request 0
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
...
This output led me to the assumption that Auth-Type set to System is
wrong, so I set Auth-Type to EAP.
When I didn't set Auth-Type, e.g <username> User-Password "blabla" and set
DEFAULT Auth-Type += System
Fall-Through = YES
I can authenticate with plaintext password and with /etc/passwd , so I
got two valid passwords. With both passwords TTLS-tunnel sessions were
established, weird!
Ralf.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
