> Ralf Paffrath <[EMAIL PROTECTED]> wrote: > > I'm running a snapshot version of freeradius with EAP/TTLS for authN. > > My supplicant is SecureW2. Everything works fine as long as I put in the > > plaintext user-password in "users" configuration file and didn' set > > Auth-Type, e.g. username User-Password == "blabla". > > Ok... > > > I absolutely don't like plaintext passwords in some files so I tried > > freeradius out to use /etc/shadow but with no success. > > Plain-text passwords aren't much of a problem from a security > perspective. They also allow you to do CHAP authentication, which is > impossible with /etc/passwd. > > > Auth-Type := EAP doesn't work: > > ... > > auth: type "EAP" > > modcall: entering group authenticate for request 5 > > rlm_eap: EAP-Message not found > > Exactly. Don't set "Auth-Type := EAP". EVER. > > > Any idea? > > Set Auth-Type to System for the tunneled user, and read the > debugging output of the server. I note that you did NOT post that > debugging output, which is the ONLY relevant thing here.
I set Auth-Type to System but no TTLS-tunnel session would be established and I got the following debugging output: ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'HUGO' auth: type "System" modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. ... This output led me to the assumption that Auth-Type set to System is wrong, so I set Auth-Type to EAP. When I didn't set Auth-Type, e.g <username> User-Password "blabla" and set DEFAULT Auth-Type += System Fall-Through = YES I can authenticate with plaintext password and with /etc/passwd , so I got two valid passwords. With both passwords TTLS-tunnel sessions were established, weird! Ralf. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html