Hey folks, I've been banging my head against trying to get FreeRADIUS to work with FreeIPA for WiFi Auth. The good news is that I've learned a ton, the bad news is that I'm quite lost still :)
My main goal is a secure way to do user-based (user/pass) auth on a WiFi network. I've been trying to wrap my head around the differences between EAP-TLS and EAP-TTLS and how different inner and outer tunnels interact with FreeIPA.
I've followed literally every guide, mailing list post, and blog that comes up in the top 20 google results. There's a surprising few, and all seem to share the same genesis. That makes me wonder, is this stuff easy and obvious to most? Or is it rarely done and not really supported?
First question: I think I understand that the most commonly used option is EAP-TLS and PEAP with mschapv2. And that required ntmhashes (I've done the AD trust steps).
Is there a more secure way? Could I do EAP-TTLS with user certs and keep the passwords encrypted end to end to the ldap server? Is there a way that doesn't require the ntmhashes?
Here's what I've done: 1. I've created a radius/host.... service account. 2. I've assigned It a password and can kinit against it 3. That principal and pass are in /mods-enabled/ldap as:
identity = krbprincipalname=radius/ipa.secure.nsnet.us@SECURE.MYDOMAIN.US,cn=serv ices,cn=accounts,dc=secure,dc=mydomain,dc=us password = HDdkr%rkd094D!@ekd
(Not my actual pass, but representative of the complexity and characters)
And here's what I get:
rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
I've also tried creating a user account and assigning it access rights to the radius server role and I assigned it rights to read the ntmhashes. That works (binds and radtest works) and can bind, but EAP fails.
Anyone have any tips on getting up and running with FreeRADIUS and WiFi?
Hello Nick,
Sorry for the delay, I've been on PTO.
If you can be patient with the replies, my suggestion would be to reach out to the FreeRADIUS-users mailing list, or try searching the archives:
http://lists.freeradius.org/mailman/listinfo/freeradius-users http://lists.freeradius.org/pipermail/freeradius-users/
Two thoughts for you though: what's in Fedora is FreeRADIUS 3.0.17 with minimal patching. I'd suggest trying to build the latest v3.0.x branch code, or better, latest master (v4.0.x). Several TLSv1.3 / EAP-[T]TLS fixes have been pushed since 3.0.17 was released (which was before TLSv1.3 was released). Since 3.0.18 hasn't been released, as Fedora maintainer, I can't package it. Some fixed bugs which might help you are:
https://github.com/FreeRADIUS/freeradius-server/commit/fd803c9d3559261b3c8bd... https://github.com/FreeRADIUS/freeradius-server/pull/2390 https://github.com/FreeRADIUS/freeradius-server/pull/2449 https://github.com/FreeRADIUS/freeradius-server/issues/2385
Back to Kerberos though, I do recall this ML thread. I'm not sure if it is helpful in your case though:
http://lists.freeradius.org/pipermail/freeradius-users/2018-December/093963....
Thanks,
Alex
freeipa-users@lists.fedorahosted.org