Setting up RADIUS + LDAP for WPA2 on Ubuntu
- by Morten Siebuhr
I'm setting up a wireless network for ~150 users. In short, I'm looking for a guide to set RADIUS server to authenticate WPA2 against a LDAP. On Ubuntu.
I got a working LDAP, but as it is not in production use, it can very easily be adapted to whatever changes this project may require.
I've been looking at FreeRADIUS, but any RADIUS server will do.
We got a separate physical network just for WiFi, so not too many worries about security on that front.
Our AP's are HP's low end enterprise stuff - they seem to support whatever you can think of.
All Ubuntu Server, baby!
And the bad news:
I now somebody less knowledgeable than me will eventually take over administration, so the setup has to be as "trivial" as possible.
So far, our setup is based only on software from the Ubuntu repositories, with exception of our LDAP administration web application and a few small special scripts. So no "fetch package X, untar, ./configure"-things if avoidable.
UPDATE 2009-08-18:
While I found several useful resources, there is one serious obstacle:
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Basically the Ubuntu version of FreeRADIUS does not support SSL (bug 183840), which makes all the secure EAP-types useless. Bummer.
But some useful documentation for anybody interested:
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius
UPDATE 2009-08-19:
I ended up compiling my own FreeRADIUS package yesterday evening - there's a really good recipe at http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html (See the comments to the post for updated instructions).
I got a certificate from http://CACert.org (you should probably get a "real" cert if possible)
Then I followed the instructions at http://vuksan.com/linux/dot1x/802-1x-LDAP.html. This links to http://tldp.org/HOWTO/html_single/8021X-HOWTO/, which is a very worthwhile read if you want to know how WiFi security works.
UPDATE 2009-08-27:
After following the above guide, I've managed to get FreeRADIUS to talk to LDAP:
I've created a test user in LDAP, with the password mr2Yx36M - this gives an LDAP entry roughly of:
uid: testuser
sambaLMPassword: CF3D6F8A92967E0FE72C57EF50F76A05
sambaNTPassword: DA44187ECA97B7C14A22F29F52BEBD90
userPassword: {SSHA}Z0SwaKO5tuGxgxtceRDjiDGFy6bRL6ja
When using radtest, I can connect fine:
> radtest testuser "mr2Yx36N" sbhr.dk 0 radius-private-password
Sending Access-Request of id 215 to 130.225.235.6 port 1812
User-Name = "msiebuhr"
User-Password = "mr2Yx36N"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 130.225.235.6 port 1812, id=215, length=20
>
But when I try through the AP, it doesn't fly - while it does confirm that it figures out the NT and LM passwords:
...
rlm_ldap: sambaNTPassword -> NT-Password == 0x4441343431383745434139374237433134413232463239463532424542443930
rlm_ldap: sambaLMPassword -> LM-Password == 0x4346334436463841393239363745304645373243353745463530463736413035
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
...
It is clear that the NT and LM passwords differ from the above, yet the message [ldap] user testuser authorized to use remote access - and the user is later rejected...
