Re: PAM authentication not working
Quoting Phil Mayers : Your client is doing EAP-TTLS/EAP-MD5. You have two choices: 1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able to authenticate 2. Stop using PAM, and provide the server with the client credentials in a form compatible with your EAP-type (see 1st URL above) Choice #1 seemed worth a shot, so I altered my client's wpa_supplicant.conf by adding one extra line -- a 'phase2' attribute for PAP: network={ ssid="mynet" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TTLS identity="jwinius" password="secret" ca_cert="/etc/certs/ca.pem" phase2="auth=PAP" } This configuration, together with the freeradius configuration already described in my first post in this thread, worked immediately. :-) Thank you very much, Phil Mayers, and thanks also to Alan DeKok. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: > Being a moderator does NOT give you moral license to treat people like > children. The only moral issue here is you admitting you came here with the intention of trolling. The only purpose of this list is to help people solve problems. If that means reminding them to read the docs, so be it. If you want a friend, go somewhere else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
On 02/08/2013 11:42 PM, Jaap Winius wrote: Quoting Alan DeKok : No. You can't turn off EAP. The client is sending EAP to the server. You need to change the client. And likely you can't, because it *needs* to do EAP. Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to WPA-EAP and it looks like that's my only option. But, if you're correct, then how is this supposed to work? You make it sound like a catch-22. The choice of authentication algorithm (EAP) and any EAP-type are made client side. Different EAP types have different requirements, in terms of what data you need to successfully authenticate a user - see here: http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to authenticate PAP, and therefore EAP-TTLS/PAP. Your client is doing EAP-TTLS/EAP-MD5. You have two choices: 1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able to authenticate 2. Stop using PAM, and provide the server with the client credentials in a form compatible with your EAP-type (see 1st URL above) These are your only options. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html