Hi All, Quite new to radius and struggling to get my head around things so forgive me if my assumptions are wrong. I appear to have the setup working but i'm concerned it's not doing what it think it is. I don't think the authentication requests are actually going over an encrypted channel.
I'm using freeradius-1.1.2 on a freebsd server and i've compiled it against openldap-2.3.24 which all went well. I'm attempting to set up secure wireless with WPA2 using our ldap directory for authentication. We have a replica of our directory running on the freeradius server. Originally i had hoped to use some sort of web-redirect-to-an-authentication-page system like you sometimes see in hotels but i can't find anything about that (any information welcome). After reading around, the best form of authentication i can see would be eap-ttls with pap as the inner protocol. I believe (from comments in the radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now, i've set it up in a way that appears to be mostly right and i *can* authenticate with my username/password in ldap but doing a tcpdump on the radius server worries me. I can see my username passed in the clear in the packets so i'm concerned it's not using tls at all. I told the wireless client to use ttls so i can't understand what's going on. The following is a summary of the main changes i made from the radiusd.conf and eap.conf files. If i dont mention an attribute it's because i didn't change it from the default setting: radiusd.conf: modules { ldap { server = "localhost" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap } } authorize { eap ldap } authenticate { Auth-Type PAP { pap } eap Auth-Type LDAP { ldap } } eap.conf: eap { default_eap_type = ttls tls { private_key_file = ${raddbdir}/certs/radius_key.pem certificate_file = ${raddbdir}/certs/radius_cert.pem CA_file = ${raddbdir}/certs/cacert.pem random_file = ${raddbdir}/certs/random } ttls { default_eap_type = md5 } } Now i know that default_eap_type setting looks wrong but i don't know what i *should* have there. On the server in /var/log/radiusd.log i see the following: Wed Jul 5 16:10:32 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) I based my certificate generation on the instructions at: http://homepage.mac.com/andreaswolf/public/wpaeap.html including using the xpextensions mentioned there. I generated my random file using dd and /dev/urandom. I am a little lost and don't know what is best practice. Any advice would be appreciated. I've tried googling but haven't found a good guide that matches our setup.I can, of course, give more information if needed. Thanks, John Allman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html