Re: PAM authentication not working

2013-02-09 Thread Jaap Winius 

Quoting Phil Mayers :


Your client is doing EAP-TTLS/EAP-MD5.

You have two choices:

 1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be  
able to authenticate
 2. Stop using PAM, and provide the server with the client  
credentials in a form compatible with your EAP-type (see 1st URL  
above)


Choice #1 seemed worth a shot, so I altered my client's  
wpa_supplicant.conf by adding one extra line -- a 'phase2' attribute  
for PAP:


  network={
ssid="mynet"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TTLS
identity="jwinius"
password="secret"
ca_cert="/etc/certs/ca.pem"
phase2="auth=PAP"
  }

This configuration, together with the freeradius configuration already  
described in my first post in this thread, worked immediately. :-)


Thank you very much, Phil Mayers, and thanks also to Alan DeKok.

Cheers,

Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Timeout anomalies

2013-02-09 Thread Alan DeKok 
Bill Isaacs wrote:
> Being a moderator does NOT give you moral license to treat people like
> children.

  The only moral issue here is you admitting you came here with the
intention of trolling.

  The only purpose of this list is to help people solve problems.  If
that means reminding them to read the docs, so be it.

  If you want a friend, go somewhere else.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM authentication not working

2013-02-09 Thread Phil Mayers 

On 02/08/2013 11:42 PM, Jaap Winius wrote:

Quoting Alan DeKok :


No.  You can't turn off EAP.  The client is sending EAP to the server.
You need to change the client.  And likely you can't, because it
*needs* to do EAP.


Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to
WPA-EAP and it looks like that's my only option. But, if you're correct,
then how is this supposed to work? You make it sound like a catch-22.


The choice of authentication algorithm (EAP) and any EAP-type are made 
client side.


Different EAP types have different requirements, in terms of what data 
you need to successfully authenticate a user - see here:


http://deployingradius.com/documents/protocols/compatibility.html
http://deployingradius.com/documents/protocols/oracles.html

PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to 
authenticate PAP, and therefore EAP-TTLS/PAP.


Your client is doing EAP-TTLS/EAP-MD5.

You have two choices:

 1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able 
to authenticate
 2. Stop using PAM, and provide the server with the client credentials 
in a form compatible with your EAP-type (see 1st URL above)


These are your only options.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html