Linux, LDAP, Radius

646 views Asked by At

I need a littel help to understand if, my wireless login with RADIUS+LDAP is enough secure.

I have this infrastructure: PC Client (Linux) + ASUS AP Wireless + FreeRadius and OPENLDAP in the same machine in cloud.

I configured everything and now I am able to login with LDAP credential. The client use WPA2 Enterprise with TTLS+PAP because PAP is the only protocol available because the passwords in LDAP are crypted (ssha).

Is everything ehough secure even if I use PAP?

This is the reply of radiusd -x after a login:

    rad_recv: Access-Request packet from host MYHOST port 34321, id=46, length=144
    User-Name = "MYUSERNAME"
    NAS-IP-Address = 192.168.3.14
    NAS-Identifier = "RalinkAP0"
    NAS-Port = 0
    Called-Station-Id = "10-BF-48-81-BC-F4"
    Calling-Station-Id = "D8-0F-99-5F-62-A1"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020100110163696363696f2e62656c6c6f
    Message-Authenticator = 0x54067f60041b728d4922c41eb47701f9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> MYUSERNAME
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap]  expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to localhost:389, authentication 0
  [ldap] bind as / to localhost:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] radiusPortLimit -> Port-Limit = 2
  [ldap] radiusIdleTimeout -> Idle-Timeout = 10
  [ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
  [ldap] radiusFramedMTU -> Framed-MTU = 1500
  [ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
  [ldap] radiusFramedProtocol -> Framed-Protocol = PPP
  [ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 46 to MYHOST port 34321
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Type:0 = VLAN
    Port-Limit = 2
    Idle-Timeout = 10
    Framed-Compression = Van-Jacobson-TCP-IP
    Framed-MTU = 1500
    Framed-IP-Address = 255.255.255.254
    Framed-Protocol = PPP
    Service-Type = Framed-User
    EAP-Message = 0x010200160410b148152ba08ab4607e84d55f739a3ef3
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xb4961f26b4941b04a1bc4b208f20b4e7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=47, length=151
    User-Name = "MYUSERNAME"
    NAS-IP-Address = 192.168.3.14
    NAS-Identifier = "RalinkAP0"
    NAS-Port = 0
    Called-Station-Id = "10-BF-48-81-BC-F4"
    Calling-Station-Id = "D8-0F-99-5F-62-A1"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020200060315
    State = 0xb4961f26b4941b04a1bc4b208f20b4e7
    Message-Authenticator = 0x9f0f65b2a2f87074e97b124376e7f431
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> MYUSERNAME
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap]  expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] radiusPortLimit -> Port-Limit = 2
  [ldap] radiusIdleTimeout -> Idle-Timeout = 10
  [ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
  [ldap] radiusFramedMTU -> Framed-MTU = 1500
  [ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
  [ldap] radiusFramedProtocol -> Framed-Protocol = PPP
  [ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 47 to MYHOST port 34321
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Type:0 = VLAN
    Port-Limit = 2
    Idle-Timeout = 10
    Framed-Compression = Van-Jacobson-TCP-IP
    Framed-MTU = 1500
    Framed-IP-Address = 255.255.255.254
    Framed-Protocol = PPP
    Service-Type = Framed-User
    EAP-Message = 0x010300061520
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xb4961f26b5950a04a1bc4b208f20b4e7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=48, length=454
    User-Name = "MYUSERNAME"
    NAS-IP-Address = 192.168.3.14
    NAS-Identifier = "RalinkAP0"
    NAS-Port = 0
    Called-Station-Id = "10-BF-48-81-BC-F4"
    Calling-Station-Id = "D8-0F-99-5F-62-A1"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x0203013315001603010128010001240303bd970c3385ad96ee42e8b049f8b6d02e349ddd6cd3a78eb60d855a1894029fdc0000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f00960041c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00ff01000051000b000403000102000a001c001a00170019001c001b0018001a00
    EAP-Message = 0x16000e000d000b000c0009000a000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101
    State = 0xb4961f26b5950a04a1bc4b208f20b4e7
    Message-Authenticator = 0x9f5728a6902c6f16485f2eed80c4652c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0128], ClientHello  
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello  
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 030e], Certificate  
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange  
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase 
In SSL Accept mode  
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 48 to MYHOST port 34321
    EAP-Message = 0x0104040015c0000004af160301003e0200003a0301a0453991b0cb983f4e977681153035970084cc099e869e8a26f3284792b25f0200c014000012ff01000100000b000403000102000f000101160301030e0b00030a00030700030430820300308201e8a003020102020900d12977d60c576812300d06092a864886f70d01010b050030383136303406035504030c2d69702d3137322d33312d32312d37302e65752d63656e7472616c2d312e636f6d707574652e696e7465726e616c301e170d3136303730353137313635305a170d3236303730333137313635305a30383136303406035504030c2d69702d3137322d33312d32312d37302e65752d
    EAP-Message = 0x63656e7472616c2d312e636f6d707574652e696e7465726e616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100b6cfaf705b881279fe399ed9e708a2f0e361cd6d2586a1e7cad4b46629f5377efc81ef0d4e2a149d42bc523210a3ed52833a93caf7de7f06a624eb654bcb6b64453e390b56bc3af10e61620f21f51bf1d0cc218e5a49c10d59c611ee50f33928863d5434453c737a10a3d30f42a859414ba511d3ab2f2ce85f2ef390c30b48c702aa16cff36f3f058c14cdfca5c9fa12ec6d3c2be86e1178932320b4013e1b96a86bb9cc5848622f4b4989e1b5783c30d2e1dd295a2d57a94de3c5df10669a033db6
    EAP-Message = 0xc86669db8bf2cce122d8d278957e776e0b8ff0c0244f6978d3f591b3b08fc78b1be33d412a9065ade04d35760e6d79738d7d2ebbaee3d0d9c9b5ba49ba170203010001a30d300b30090603551d1304023000300d06092a864886f70d01010b050003820101006f8d780bdb5ad970c6aa702db236aaddd55b203ca7c4cbbebb1a34d93404179d1e3dd9d0b27847e10655b9665a5c98d5d8b63d0498121268a025ef8e117f13b51d41d0967d25726913bb9d1011e6e7d9a065e71591f79ee2fed93b9d679f7e2dadbcc8775047ff3c783766a2f30e71f330ae03189a80d94cf8f421ce29235eb7261287ac168d6127c4eeb246a07e6e3baa2605f67fcc88
    EAP-Message = 0xe5e700071625adca3796d40956b2fc990f4cc93132c5af0d2a0fc3d47ea7ad833888c4bf80839fc76b88870ce099de01acae3d6c7a36a249fcca2d69351dc20d230ae5d6211a174caa3a6b23eaaff74e4225ad3522daba22ba2ea152b4680f8ea23617a5b80072f538160301014b0c0001470300174104f0ffcd7da5999c754ac670b357e6f23a863c32d1224650000ed329805dd577a87a66b94267470889ad6f13e5aecb0c75fd9bcca9baf5b387dff35911a9cbe38601007913b21ea8de618fcecbb3c81b2a5f96611704a797ae4a3886d69ad31bae811a82954c9abf4e020077dee057372e51638e91a0919d1f80cfdcebddcd9473562070ad1193
    EAP-Message = 0x41c2388a034111e89a66df84
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xb4961f26b6920a04a1bc4b208f20b4e7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=49, length=151
    User-Name = "MYUSERNAME"
    NAS-IP-Address = 192.168.3.14
    NAS-Identifier = "RalinkAP0"
    NAS-Port = 0
    Called-Station-Id = "10-BF-48-81-BC-F4"
    Calling-Station-Id = "D8-0F-99-5F-62-A1"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020400061500
    State = 0xb4961f26b6920a04a1bc4b208f20b4e7
    Message-Authenticator = 0x5e54e734a23f7d5eccd994dd6b3b1c64
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 49 to MYHOST port 34321
    EAP-Message = 0x010500c31580000004af95618a570ca1af462abbae65491a7eb4fb54855bc38d7d24ea3dfe0d6b2317db0291ab32cd3581def62f41f0818af0265db92e9373e6dedd2d9ac109c70c69abb65f98a9a2adc612f44f5dae42077752ca2da44d1d65edbe3eae84131e843b0cb0cf0f67a7cba37fd53b52ab087329c20bf41212f8bcf644e3b0f947c7efb6c48c3a47ee2e9b82e90d6ca712388d32a1ad2547b8d9c58f14ccbc9ea73ac1368389bd19f30524e3fc34ca63323234538e16030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xb4961f26b7930a04a1bc4b208f20b4e7
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=50, length=285
    User-Name = "MYUSERNAME"
    NAS-IP-Address = 192.168.3.14
    NAS-Identifier = "RalinkAP0"
    NAS-Port = 0
    Called-Station-Id = "10-BF-48-81-BC-F4"
    Calling-Station-Id = "D8-0F-99-5F-62-A1"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x0205008c15001603010046100000424104ad07a8afc3f54a25ad1e2d16cb82d7fee22bbd5d29230586f6bd74c5b5f63ab583d2893d5d929ddbfbccd3d979ab1991aa327bdb1bbfde3b911474ec4e40ba1b1403010001011603010030e4ade37cae91ee44ea813a08bccd336330ea8f0e683e27671ebc192531fb39d497ad24e18a55aef6ac9196abdc07ba11
    State = 0xb4961f26b7930a04a1bc4b208f20b4e7
    Message-Authenticator = 0xcc67db6ecf8d276c1e1dcfe3b174ae5f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 50 to MYHOST port 34321
    EAP-Message = 0x0106004515800000003b1403010001011603010030c80d41290431875efa6f9b95f93e9efe6caca8b619ff85be8774b5005d6d7d9407a83820d5f0491f4c0b6d6eba1571bc
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xb4961f26b0900a04a1bc4b208f20b4e7
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=51, length=273
    User-Name = "MYUSERNAME"
    NAS-IP-Address = 192.168.3.14
    NAS-Identifier = "RalinkAP0"
    NAS-Port = 0
    Called-Station-Id = "10-BF-48-81-BC-F4"
    Calling-Station-Id = "D8-0F-99-5F-62-A1"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x02060080150017030100201b68b351df52aa520d5cef2e67154f1634828faa63b4015ff1c95858612fd2da1703010050cc8afe5516e1093bc38f7c72ad9451ad667a8f87c79b1cb571d501733c12840822aa82249accb65441ebeeb2b7830406351dd0c1921e46682bb2c50cacdd4e2ac89519e4032fd9ee46c06f6c3ae87cc0
    State = 0xb4961f26b0900a04a1bc4b208f20b4e7
    Message-Authenticator = 0x01b3a063376dd33133836e9662c60a85
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 128
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
    User-Name = "MYUSERNAME"
    User-Password = "MYPASSWORD"
    FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
    User-Name = "MYUSERNAME"
    User-Password = "MYPASSWORD"
    FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> MYUSERNAME
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap]  expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] radiusPortLimit -> Port-Limit = 2
  [ldap] radiusIdleTimeout -> Idle-Timeout = 10
  [ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
  [ldap] radiusFramedMTU -> Framed-MTU = 1500
  [ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
  [ldap] radiusFramedProtocol -> Framed-Protocol = PPP
  [ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group LDAP {
[ldap] login attempt by "MYUSERNAME" with password "MYPASSWORD"
[ldap] user DN: uid=MYUSERNAME,ou=people,dc=MYCOMPANYNAME,dc=XX
  [ldap] (re)connect to localhost:389, authentication 1
  [ldap] bind as uid=MYUSERNAME,ou=people,dc=MYCOMPANYNAME,dc=XX/MYPASSWORD to localhost:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user MYUSERNAME authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
Login OK: [MYUSERNAME] (from client Bologna port 0 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Type:0 = VLAN
    Port-Limit = 2
    Idle-Timeout = 10
    Framed-Compression = Van-Jacobson-TCP-IP
    Framed-MTU = 1500
    Framed-IP-Address = 255.255.255.254
    Framed-Protocol = PPP
    Service-Type = Framed-User
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [MYUSERNAME] (from client Bologna port 0 cli D8-0F-99-5F-62-A1)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 51 to MYHOST port 34321
    MS-MPPE-Recv-Key = 0x28aa4458b67ba2c51a43a0b0d444edd7ca1857a316904ab88670ea72b10bb375
    MS-MPPE-Send-Key = 0x476389374dc15fb4cc34d491493b43db273451ce228245ea384c04a5db15ff9b
    EAP-Message = 0x03060004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "MYUSERNAME"
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 46 with timestamp +165
Cleaning up request 1 ID 47 with timestamp +165
Cleaning up request 2 ID 48 with timestamp +165
Cleaning up request 3 ID 49 with timestamp +165
Cleaning up request 4 ID 50 with timestamp +165
Cleaning up request 5 ID 51 with timestamp +165
Ready to process requests.

Many thanks in advance for the help.

1

There are 1 answers

3
Arran Cudbard-Bell On

EAP-TTLS is only secure if the clients/supplicants are setup to validate the certificate presented by the RADIUS server correctly. Usually the only way to guarantee this, is to pre-provision wireless profiles and supplicant settings on any device connecting to the network.

If you want secure authentication use OpenLDAP's PKI module, and generate certificates for every user/device and use EAP-TLS.

See this presentation on current supplicant behaviour.