Radius with LDAP only without EAP


  • Hello,

    I have a pfsense 2.3.2 machine with the radius package.  Login and group membership works, but only without EAP. I have to set the option:
    LDAP Authentication Support: Enable LDAP For Authentication: on
    Description: “check plain-text password against the ldap database"

    Without EAP many wlan-devices make Problems. The LDAP-Server is “paedml based on UCS@school”. When I browse the ldap with an ldap-browser, I don’t see password hashes in the ldap-tree. Maybe this is the fault?

    My test results:

    Login with plaintext Passwort works:

    
    Command:
    	radtest LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
    Output:
    Sending Access-Request of id 227 to 10.0.0.2 port 1812
            User-Name = "LdapTestUser"
            User-Password = "test12345"
            NAS-IP-Address = 10.0.0.2
            NAS-Port = 1812
            Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 10.0.0.2 port 1812, id=227, length=20
    
    Command:
    	tail -n 1 /var/log/radius.log
    Output:
    	Thu Jan 26 08:55:52 2017 : Auth: Login OK: [LdapTestUser/test12345] (from client localhost port 1812)
    
    

    EAP Login with plaintext Passwort fails:

    
    Command:
    	radtest -t eap-md5 LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
    Output:
      Sending Access-Request packet to host 10.0.0.2 port 1812, id=5, length=0
            User-Name = "LdapTestUser"
            User-Password = "test12345"
            NAS-IP-Address = 10.0.0.2
            NAS-Port = 1812
            Message-Authenticator = 0x00
            EAP-Code = Response
            EAP-Type-Identity = 0x70657465722e6d65796572
            EAP-Message = 0x020400100170657465722e6d65796572
      Received Access-Challenge packet from host 10.0.0.2 port 1812, id=5, length=80
            EAP-Message = 0x010500160410d0ddf264a93eb1f59fb26602a67bfc76
            Message-Authenticator = 0xd0620682737ba789ea94a10675900ebc
            State = 0xc88ef904c88bfd9a410dd006961d5165
            EAP-Id = 5
            EAP-Code = Request
            EAP-Type-MD5-Challenge = 0x10d0ddf264a93eb1f59fb26602a67bfc76
      Sending Access-Request packet to host 10.0.0.2 port 1812, id=6, length=99
            User-Name = "LdapTestUser"
            User-Password = "test12345"
            NAS-IP-Address = 10.0.0.2
            NAS-Port = 1812
            Message-Authenticator = 0x00000000000000000000000000000000
            EAP-Code = Response
            EAP-Type-MD5-Challenge = 0x10b7622aa9c3063a14109fe31c485e9086
            EAP-Id = 5
            State = 0xc88ef904c88bfd9a410dd006961d5165
            EAP-Message = 0x020500160410b7622aa9c3063a14109fe31c485e9086
      Received Access-Reject packet from host 10.0.0.2 port 1812, id=6, length=44
            EAP-Message = 0x04050004
            Message-Authenticator = 0x1a336028fa1abe78c868e2b1318f5a08
            EAP-Id = 5
            EAP-Code = Failure
    
    

    Login without plaintext Passwort fails:

    
    Command:
    	radtest LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
    Output:
    
    Sending Access-Request of id 210 to 10.0.0.2 port 1812
            User-Name = "LdapTestUser"
            User-Password = "test12345"
            NAS-IP-Address = 10.0.0.2
            NAS-Port = 1812
            Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Reject packet from host 10.0.0.2 port 1812, id=210, length=20
    
    Command:
    	tail -n 1 /var/log/radius.log
    Output:
    Thu Jan 26 08:58:15 2017 : Auth: Login incorrect: [LdapTestUser/test12345] (from client localhost port 1812)
    
    

    EAP Login without plaintext Passwort fails:

    
    Command:
    	radtest -t eap-md5 LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
    Output:
      Sending Access-Request packet to host 10.0.0.2 port 1812, id=41, length=0
            User-Name = "LdapTestUser"
            User-Password = "test12345"
            NAS-IP-Address = 10.0.0.2
            NAS-Port = 1812
            Message-Authenticator = 0x00
            EAP-Code = Response
            EAP-Type-Identity = 0x70657465722e6d65796572
            EAP-Message = 0x022800100170657465722e6d65796572
      Received Access-Challenge packet from host 10.0.0.2 port 1812, id=41, length=80
            EAP-Message = 0x01290016041092e69b70515b4c41fd4f5f79deca9900
            Message-Authenticator = 0x47a65388c92c7225c73a07b842f97838
            State = 0xba499b57ba609fa1dee1ebdccb69e99b
            EAP-Id = 41
            EAP-Code = Request
            EAP-Type-MD5-Challenge = 0x1092e69b70515b4c41fd4f5f79deca9900
      Sending Access-Request packet to host 10.0.0.2 port 1812, id=42, length=99
            User-Name = "LdapTestUser"
            User-Password = "test12345"
            NAS-IP-Address = 10.0.0.2
            NAS-Port = 1812
            Message-Authenticator = 0x00000000000000000000000000000000
            EAP-Code = Response
            EAP-Type-MD5-Challenge = 0x101f3425edf2ded1c8af487ed2bc4fd05a
            EAP-Id = 41
            State = 0xba499b57ba609fa1dee1ebdccb69e99b
            EAP-Message = 0x0229001604101f3425edf2ded1c8af487ed2bc4fd05a
      Received Access-Reject packet from host 10.0.0.2 port 1812, id=42, length=44
            EAP-Message = 0x04290004
            Message-Authenticator = 0xbd863e4fb16e2495681ca562d65fff14
            EAP-Id = 41
            EAP-Code = Failure
    
    

    How can I get authentication with EAP running?

    Thank you.

    Samuel Schmidt