I need help configuring freeradius with WPA2 Enterprise via LDAP.
LDAP normally works for other services, however, it does not work for WPA2E.
We have also managed WPA2E to work with hard coded username/password fine. So we know all the components on their own work, but do not work together.
We have the freeradius server configured fine to work with the LDAP service.
Any help is appreciated
Here is my ldap setting for free radius modules/ldap file (mostly irrelevant for this issue)
ldap {
server = "ldapmaster.domain.com,ldapslave.domain.com"
identity = "uid=binder,ou=services,dc=security,dc=domain,dc=com"
password = asdfasdfasdf
basedn = "ou=internal,ou=users,dc=security,dc=domain,dc=com"
filter = "(mail=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
require_cert = "never"
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
keepalive {
idle = 60
probes = 3
interval = 3
}}
Also have the following setup for eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
verify {
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}}
Also have two sites enabled, default and inner-tunnel:
default
authorize {
preprocess
suffix
eap {
ok = return
}
expiration
logintime
ldap
}
authenticate {
eap
ldap
}
inner-tunnel
authorize {
mschap
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
ldap
logintime
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
ldap
}
Here is a sample log I am seeing in the debug logs:
You appear to of removed the symlink between sites-available/inner-tunnel
and sites-enabled/inner-tunnel
If you look in the log it's complaining it can't find the inner-tunnel server, which it requires to perform MSCHAPv2 auth in the TLS tunnel of the PEAP authentication.
server {
PEAP: Setting User-Name to [email protected]
Sending tunneled request
EAP-Message = 0x0205001a01656d72654071756269746469676974616c2e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "[email protected]"
server inner-tunnel {
No such virtual server "inner-tunnel"
} # server inner-tunnel
You add the symlink back, and list the ldap module at the top of the authorize section in the inner-tunnel server. You will also need to map the attribute holding the user's Cleartext-Password to the User-Password attribute, using the ldap attrmap file.
If you do not have the user's Cleartext-Password in the directory (for example if it's hashed), then you should use EAP-TTLS-PAP, and list the LDAP module in the authenticate section of the inner-tunnel server, then add:
if (User-Password) {
update control {
Auth-Type := LDAP
}
}
To the authorize section of the inner-tunnel server.