Re: EAP-TLS CRL checking when multiple CAs used
Hi all, problem has been on my side. I miss to add another one CRL into certs directory. Thank you for all your help! Best regards, — Martin Čmelík 2011/11/14 Martin Čmelík martin.cme...@gmail.com: Hi Alan, I did, there is nothing about it. Only this: # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash CA certsCRLs Directory'. # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes We have all CAs in ca.pem and CRL lists in separate file crl1.pem+.der, crl2.pem+.der, ect... Stefan, that's what I did. OK I will try to do same thing with previous configuration. Maybe that I miss something. Thank you — Martin Čmelík 2011/11/14 Alan DeKok al...@deployingradius.com: Martin Čmelík wrote: Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? Read raddb/eap.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: FreeRadius Users with multiple passwords
Hi all, I have encounter with an issue and can not find the solution after several days of thinking :( I set up FreeRadius Mysql successfully, testing with some account ok, but my real case: Lot of my users *have more than 1 passwords*, Example: User: truongdm comes with the password abc123 or the password 123abc is both ok Please help me: How can i set it up? - I try to insert serveral records with the same username and difference value - password- in the radcheck table but at one time, the server accept 1 pair of username/value only :( - I try to edit the file users manually but no help . Anyone has had this matter, please help me find the direction! Thanks Best Regards! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: FreeRadius Users with multiple passwords
On Tue, Nov 15, 2011 at 4:00 PM, Duong Manh Truong ngoahotanglon...@gmail.com wrote: Hi all, I have encounter with an issue and can not find the solution after several days of thinking :( I set up FreeRadius Mysql successfully, testing with some account ok, but my real case: Lot of my users have more than 1 passwords, Example: User: truongdm comes with the password abc123 or the password 123abc is both ok Short version: you can't. Long version: it's doable, but ONLY if: - your user sends clear-text password (read: not using MSCHAP or PEAP-MS-CHAP v2, which is the one most often used by windows clients) - you create additional logic to handle authentication, either using unlang or external script (perl, php, whatever). Hint: see http://wiki.freeradius.org/Auth%20Type . Your additional logic would have to set Auth-Type := Accept when conditions (e.g. password) match. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql module help
Ski Mountain wrote: I am trying to get freeradius working with mysql on a new system. I even copied the configuration files from a working system, but I am still having trouble getting the mysql module to load. Yes I have $INCLUDE sql.conf uncommitted from radius.conf Read raddb/sites-available/default. Look for sql Then, read the SQL documentation on the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote: I’m trying to configure my FreeRADIUS server to support EAP-TLS but it keeps reporting that there is no OpenSSL support. You need to install the openssl-dev package. It includes the OpenSSL header files. This is probably on the Wiki, under building it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/mschapv2 - opendirectory
Kemal YILDIRIM wrote: Hello all, I've just able to implemented Wired 802.1x system with PEAP/mschapv2 authentication against opendirectory which is running on MacOSX server 10.6.8 Leopard. At the end I have a working setup, but I like to learn more to fix my faults. What is going wrong? You've posted a long message showing authentication succeeded, but no errors. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:ldap error
Hello, i am new to radius server,i made more changes in *user*s configuration file (/usr/local/etc/raddb/:vi users) ,after configuring (radiusd -X) radius server was not configured ,output doesn't generate any *errors* or *warnings*, i attached the output file . please help me outputfile.odt Description: application/vnd.oasis.opendocument.text - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
I have installed the openssl-dev package, but FR stills thinks openssl is not installed. You need to install the openssl-dev package. It includes the OpenSSL header files. This is probably on the Wiki, under building it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
I finally got FR to recognize the openssl install. Not sure what I did to fix it, but I installed some additional packages that required openssl such as Kerberos and that seemed to fix things. -Original Message- From: freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 15, 2011 3:25 AM To: FreeRadius users mailing list Subject: Re: Issues with EAP-TLS and OpenSSL Houston-III, Lester L wrote: I’m trying to configure my FreeRADIUS server to support EAP-TLS but it keeps reporting that there is no OpenSSL support. You need to install the openssl-dev package. It includes the OpenSSL header files. This is probably on the Wiki, under building it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap error
Harshavardhan Ch wrote: Hello, i am new to radius server,i made more changes in *user*s configuration file (/usr/local/etc/raddb/:vi users) ,after configuring (radiusd -X) radius server was not configured ,output doesn't generate any *errors* or *warnings*, i attached the output file . There is *no* good reason to post the output as an ODT file. You can add the relevant messages as text in a post to this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote: I finally got FR to recognize the openssl install. Not sure what I did to fix it, but I installed some additional packages that required openssl such as Kerberos and that seemed to fix things. For the record, installing Kerberos won't fix OpenSSL issues. Something else happened. The configure log will show it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
The rlm_eap_tls was built and I think it was installed, but I'm still getting the following errors when running the server. The last line is probably shown because the tls section of eap.conf is ignored, but I'm not sure why I'm getting the other lines when I run configure and it states that OpenSSL is supported. Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: No EAP type configured, module cannot do anything. -Original Message- From: freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 15, 2011 11:44 AM To: FreeRadius users mailing list Subject: Re: Issues with EAP-TLS and OpenSSL Houston-III, Lester L wrote: I finally got FR to recognize the openssl install. Not sure what I did to fix it, but I installed some additional packages that required openssl such as Kerberos and that seemed to fix things. For the record, installing Kerberos won't fix OpenSSL issues. Something else happened. The configure log will show it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote: The rlm_eap_tls was built and I think it was installed, but I'm still getting the following errors when running the server. The last line is probably shown because the tls section of eap.conf is ignored, but I'm not sure why I'm getting the other lines when I run configure and it states that OpenSSL is supported. Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: No EAP type configured, module cannot do anything. The EAP module needs to be built with OpenSSL support. If you've re-built only rlm_eap_tls, then that isn't good enough. The simplest way to fix this is to *delete* your existing installation. Then re-build and re-install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP/MSCHAP
I wanted to say thanks to everybody from this list who has given me a hand over the past few weeks. I have successfully configured Freeradius to authenticate 802.1X wireless clients from an AD domain and assign them the appropriate VLAN tag based on AD/LDAP group membership. Many thanks to everybody. -Original Message- From: freeradius-users-bounces+mwhitlow=bumail.bradley@lists.freeradius.org [mailto:freeradius-users-bounces+mwhitlow=bumail.bradley@lists.freeradius.org] On Behalf Of Sven Hartge Sent: Sunday, November 13, 2011 8:39 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP/MSCHAP Andreas Rudat ru...@endstelle.de wrote: Am 12.11.2011 23:00, schrieb Sven Hartge: This also means you have to protect those Hashes inside your database like a raw cleartext password, as you can authenticate to any Windows box with the knowledge of the NT/LM-Hash. This has been exploitet by several Windows trojan horses, which grabbed to NT-Hash from the Administrator user to login into other boxes on the network using the same password (or worse: the domain controller). Ah much thanks for that clearing, so both is bad no matter which mechnism is used. Yes. Storing the NT-Hash has the advantage of not completley exposing the cleartext password to a possible intruder. Storing the LM-Hash is just dumb, because a) it limits the the length of the password to 16 characters and b) LM-Hash is easily broken in seconds by todays computers. Storing the raw cleartext password is as bad, but it enables one to use other challange-handshake auths, if needed. I chose to store the raw cleartext password in LDAP, but in a different attribute than the normal userPassword. This way, if my LDAP servers ever get compromised (or I mess up with an ACL, enabling anyone to read the cleartext password), just the WLAN/Dialup-Password of a user is revealed and not the master password for the account, which is used for mail, login in to computers, etc. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Validation Process
All, I have one minor issue to ask the group about. Using Freeradius to authenticate 802.1X wireless clients, I noticed that if I try to connect to the wireless network and I purposely put in a bad password I still get the popup to validate the server certificate. On the other radius implementations I am used to the cert validation does not happen until after the user is authenticated. I imagine I have something configured not quite right but I don't know what. So, in Freeradius is there a way to change it so the validate server certificate comes only after successfull authentication? Thanks much, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Validation Process
On Tue, Nov 15, 2011 at 01:58:25PM -0600, Whitlow, Michael wrote: All, I have one minor issue to ask the group about. Using Freeradius to authenticate 802.1X wireless clients, I noticed that if I try to connect to the wireless network and I purposely put in a bad password I still get the popup to validate the server certificate. On the other radius implementations I am used to the cert validation does not happen until after the user is authenticated. I imagine I have something configured not quite right but I don't know what. So, in Freeradius is there a way to change it so the validate server certificate comes only after successfull authentication? Thanks much, Mike If the server cert is bogus, you should not send any authentication information down a compromised connection. It sounds like it is functioning correctly now and was broken then. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Keeping plain-text shared secret and user passwords in sql
I'm attempting to use freeradius to authenticate wireless network in my organisation, using self-signed certificates. I have installed freeradius 2.1.10 from debian 6 repository, set up basic configuration according to instructions on freeradius.org site, finally I've configured freeradius to use mysql. It seems to work properly, but i wonder if it is safe to keep user password and client secret in plaintext? I searched the lists and googled a bit, but I can't find any information regarding this case. So: 1 - is there a way (or sense) to hash shared secret in my database? 2 - Can I hash user passwords if I'm using eap-tls? 2a - if I'm using certificates for authentication, do I actually need to keep user passwords? Cause it seems that they aren't used during authentication (or I didn't find that part during debuging) Regards Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Validation Process
Hi, I have one minor issue to ask the group about. Using Freeradius to authenticate 802.1X wireless clients, I noticed that if I try to connect to the wireless network and I purposely put in a bad password I still get the popup to validate the server certificate. On the other radius implementations I am used to the cert validation does not happen until after the user is authenticated. I imagine I have something configured not quite right but I don't know what. So, in Freeradius is there a way to change it so the validate server certificate comes only after successfull authentication? umm, you should be prompted about the RADIUS cert before you type in ANY username or password - how else can you trust what you are talking to?? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping plain-text shared secret and user passwords in sql
Hi, I'm attempting to use freeradius to authenticate wireless network in my organisation, using self-signed certificates.� I have installed freeradius 2.1.10 from debian 6 repository, set up basic configuration according to instructions on [1]freeradius.org site, finally I've configured freeradius to use mysql. It seems to work properly, but i wonder if it is safe to keep user password and client secret in plaintext? I searched the lists and googled a bit, but I can't find any information regarding this case.� So: 1 - is there a way (or sense) to hash shared secret in my database? 2 - Can I hash user passwords if I'm using eap-tls? 2a - if I'm using certificates for authentication, do I actually need to keep user passwords? Cause it seems that they aren't used during authentication (or I didn't find that part during debuging) depends on many things. how paranoid are you? what sort of security level does this server have? is the MySQL on a seperate server from the FR daemon? is the SQL connection encrypted? and more. you can hash (salted please!) the passwords so that they are not readable but if someone has that sort of access to the DB then might they not already be inserting their own user/pass for access? security by obscurity isnt the best waybeing worried about such a thing and being more secure and paranoid about security over the server/system might be a better way :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping plain-text shared secret and user passwords in sql
asdf zxcv jazdatest...@gmail.com wrote: I'm attempting to use freeradius to authenticate wireless network in my organisation, using self-signed certificates. I have installed freeradius 2.1.10 from debian 6 repository, set up basic configuration according to instructions on freeradius.org site, finally I've configured freeradius to use mysql. It seems to work properly, but i wonder if it is safe to keep user password and client secret in plaintext? I searched the lists and googled a bit, but I can't find any information regarding this case. So: 1 - is there a way (or sense) to hash shared secret in my database? Not if you have to support challange handshake authentication. If you only use MSCHAPv2 or PAP, then you can store the password as an NT-Hash. This is somewhat safer than clear text, but should still be secured, because both the NT-Hash and the LM-Hash are quite easily broken (l0pthcrack etc.) 2 - Can I hash user passwords if I'm using eap-tls? 2a - if I'm using certificates for authentication, do I actually need to keep user passwords? Cause it seems that they aren't used during authentication (or I didn't find that part during debuging) If 2a, then no, as the certificate is the only needed credential of a user/system, no username/password involved. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql module help
Yes I have already edited the freeradius/sites-available/default file # See Authorization Queries in sql.conf sql From: Alan DeKok al...@deployingradius.com To: Ski Mountain ski_the_mount...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, November 15, 2011 4:10 AM Subject: Re: mysql module help Ski Mountain wrote: I am trying to get freeradius working with mysql on a new system. I even copied the configuration files from a working system, but I am still having trouble getting the mysql module to load. Yes I have $INCLUDE sql.conf uncommitted from radius.conf Read raddb/sites-available/default. Look for sql Then, read the SQL documentation on the wiki. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/dev/null proxy accounting while proxy sink is unresponsive
hi. thanks for freeradius. we converted from Radiator to freeradius and were able to halve the size of our radius cluster while still handling more load. we're using multiple detail files defined in radiusd.conf, which then sites-enabled/default defines as redundant-load-balance, so accounting gets written to them round-robin by freeradius. then we have another sites-enabled/ site defining multiple servers each listen to one of the accounting files and Proxy-To-Realm them to a realm which is defined in proxy.conf. the realm in proxy.conf has home_servers and home_server_pools defined for multiple different realms, each sending to different proxy sinks. some sinks are just one host, some are multiple. this all works pretty much great, except when a proxy-sink fails to ACK the accounting we send it (thus being seen as dead or zombie). there are a small number of cases where we would love it if we could just /dev/null this proxy accounting if the remote server is dead/zombie, however i haven't figured out a way to actually configure this. it seems like i want to use a fallback server in the home_server_pool, where that fallback server would just 'ok' accounting or otherwise toss it in the trash, but after a few iterations of trying to make this work i have come up empty handed. if anyone can help, i'd be enormously grateful. here are the sanitized configs. so for example, i'd like to add a virtual server to the 'home_server_pool proxy-whatever' that would toss the accounting from the detail file into /dev/null for whatever period of fime site-1 and site-2 were dead/zombie. [proxy.conf] -- # $Id: proxy.conf 34303 2011-10-26 20:31:34Z jrrs $ # This entry controls the behavior towards ALL other servers we proxy # requests to. proxy server { # Never, ever fall back to the DEFAULT realm when no # home servers are alive for a given ream. default_fallback = no } home_server proxy-whatever01-site-1 { type = acct ipaddr = 1.1.1.1 port = 1845 secret = zz status_check = none response_window = 10 } home_server proxy-whatever01-site-2 { type = acct ipaddr = 2.2.2.2 port = 1845 secret = zz status_check = none response_window = 10 } home_server_pool proxy-whatever { type = fail-over home_server = proxy-whatever01-site-1 home_server = proxy-whatever01-site-2 } realm proxy-whatever { acct_pool = proxy-whatever nostrip } [sites-enabled/default] # $Id: default 34587 2011-11-15 22:45:31Z jrrs $ authorize { preprocess update request { Client-IP-Address := %{Client-IP-Address} } chap mschap suffix perl switch %{Auth-Type} { case 'sql.auth.wifi.site3' { redundant { sql.auth.wifi.site2 sql.auth.wifi.site1 } } case 'sql.auth.wifi.site2' { redundant { sql.auth.wifi.site2 sql.auth.wifi.site1 } } case 'sql.auth.wifi.site1' { redundant { sql.auth.wifi.site1 sql.auth.wifi.site2 } } } pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type ldap.site3 { redundant { ldap.site3 ldap.site2 ldap.site1 } } Auth-Type ldap.site2 { redundant { ldap.site2 ldap.site1 ldap.site3 } } Auth-Type ldap.site1 { redundant { ldap.site1 ldap.site2 ldap.site3 } } } preacct { perl } accounting { perl redundant-load-balance { detail.proxy-whatever0 detail.proxy-whatever1 detail.proxy-whatever2 detail.proxy-whatever3 detail.proxy-whatever4 } attr_filter.accounting_response } session { } post-auth { Post-Auth-Type REJECT { sql.authlog attr_filter.access_reject } } pre-proxy { } post-proxy { if (%{proxy-reply:Packet-Type} == Access-Accept) {
Re: mysql module help
On Wed, Nov 16, 2011 at 5:44 AM, Ski Mountain ski_the_mount...@yahoo.com wrote: Yes I have already edited the freeradius/sites-available/default Did you edit the right file? If you did, sql would show up on the debug log. The correct file (based on your debug output) should be /etc/raddb/sites-available/default, and not freeradius/sites-available/default -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql module help
Opps wrong directory, I am used to working on systems with /etc/freeradius, while this one should be /etc/raddb the beauty of Debian vs redhat. My bad. From: Fajar A. Nugraha l...@fajar.net To: Ski Mountain ski_the_mount...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, November 15, 2011 6:57 PM Subject: Re: mysql module help On Wed, Nov 16, 2011 at 5:44 AM, Ski Mountain ski_the_mount...@yahoo.com wrote: Yes I have already edited the freeradius/sites-available/default Did you edit the right file? If you did, sql would show up on the debug log. The correct file (based on your debug output) should be /etc/raddb/sites-available/default, and not freeradius/sites-available/default -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /dev/null proxy accounting while proxy sink is unresponsive
On Wed, Nov 16, 2011 at 6:54 AM, jared r r spiegel j...@ice-nine.org wrote: it seems like i want to use a fallback server in the home_server_pool, where that fallback server would just 'ok' accounting or otherwise toss it in the trash, but after a few iterations of trying to make this work i have come up empty handed. If you want to IMMEDIATELY dump the packet if home server fails to respond, it's easy. Just use rlm_replicate. If you want some fancy processing (e.g. dump if it it's older than x seconds, or have been retried y times), try http://freeradius.1045715.n5.nabble.com/FreeRadius-with-Eduroam-Accounting-td4871040.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls with ldap
We want to configure eap-ttls with freeradius. Currently, we have freeradius with ldap authentication. The ldap that we are using is Active Directory. We want to know if there is good site that we can follow to implement eap ttls with ldap authentication. Thanks. Angela - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
On Wed, Nov 16, 2011 at 11:37 AM, Angelica Delgado angelicadel...@gmail.com wrote: We want to configure eap-ttls with freeradius. Currently, we have freeradius with ldap authentication. The ldap that we are using is Active Directory. We want to know if there is good site that we can follow to implement eap ttls with ldap authentication. Why eap-ttls? Why not just EAP-PEAP-MSCHAPv2? See http://deployingradius.com/documents/configuration/active_directory.html (but you've probably done that already you already have AD integration working), and http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
We configured ldap module to connect to our Active Directory as a ldap server. This is currently working. Do we need to change this configuration in order to start using eap-ttls? We read on the ldap module that it does not supports eap. If this is true? Thanks. Angela On Tue, Nov 15, 2011 at 11:08 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Nov 16, 2011 at 11:37 AM, Angelica Delgado wrote: We want to configure eap-ttls with freeradius. Currently, we have freeradius with ldap authentication. The ldap that we are using is Active Directory. We want to know if there is good site that we can follow to implement eap ttls with ldap authentication. Why eap-ttls? Why not just EAP-PEAP-MSCHAPv2? See http://deployingradius.com/documents/configuration/active_directory.html (but you've probably done that already you already have AD integration working), and http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
On Wed, Nov 16, 2011 at 12:57 PM, Angelica Delgado angelicadel...@gmail.com wrote: We configured ldap module to connect to our Active Directory as a ldap server. This is currently working. Do we need to change this configuration in order to start using eap-ttls? err ... no, but unless you use ntlm_auth you would've needed to do ldap bind, which means you can't use MSCHAP. If you can tolerate that than it should be no problem. We read on the ldap module that it does not supports eap. If this is true? Where did you read that? I used eap-peap-gtc with a lotus domino ldap server, and it works just fine. I can NOT use it for eap-peap-mschapv2 though (due to the ldap bind requirement). You CAN use eap-peap-MSCHAPv2 with AD, but only if you also use ntlm_auth (see the links I sent earlier). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Angelica Delgado wrote: We want to configure eap-ttls with freeradius. Currently, we have freeradius with ldap authentication. The ldap that we are using is Active Directory. We want to know if there is good site that we can follow to implement eap ttls with ldap authentication. Configure LDAP so that PAP authentication works in the inner-tunnel. See raddb/sites-available/inner-tunnel for comments on testing this. Configure the certificates for EAP-TLS. EAP-TTLS will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html