I'll try to answer the LDAP question here.
Here's the short answer: make sure the ldap
module is removed from the authenticate
section, and make sure the mschap
module is present in both the authorize
and the authenticate
section. And just ignore the 'No "known good" password'.
And now here's the (very) long answer.
How does the ldap module work?
When you activate the ldap
module in the authorize
section, this is what it does when a RADIUS packet is received by FreeRADIUS:
- it tries to bind to the LDAP server (as a guest user, or using the given identity if one is configured in
ldap.conf
)
- it searches for the user's DN entry using the filter under the base DN (configured in
ldap.conf
).
- it fetches all the LDAP attributes it can get among those configured in
ldap.attrmap
, and converts them into RADIUS Attributes.
- it adds those attributes to the RADIUS packet's check items list.
When you activate the ldap
module in the authenticate
section, this is what FreeRADIUS does:
- it tries to bind to the LDAP server as the user.
- if it can bind, then it's a successful authentication, and a
Radius-Accept
packet will be sent back to the client, or else, it's a failure, leading to a Radius-Reject
packet.
So how can I configure FreeRADIUS to make PEAP/MS-CHAP-v2 work with LDAP?
The important point here is that binding as the user will only work if the FreeRADIUS server can retrieve the cleartext password of the user from the RADIUS packet it received. This is only the case when PAP or TTLS/PAP authentication methods are used (and possibly also EAP/GTC). Only the TTLS/PAP method is really secure, and it is not available by default in Windows. If you want your users to connect with TTLS/PAP, you need to have them install a TTLS supplicant software, which is seldom an option. Most of the time, when deploying WiFi with WPA Enterprise securiy, PEAP/MS-CHAP-v2 is the only reasonable option.
So the bottom line is: unless you are using PAP or TTLS/PAP, you can safely remove the ldap
module from the authenticate
section, and actually, you should: binding as the user will not work.
If your test works when you use radtest
, it probably means that the ldap
module is activated in the authenticate
section: it will try to bind as the user, and since radtest uses PAP authentication, it will succeed. But it will fail if you try to connect through the access point, since you are using PEAP/MS-CHAP-v2.
What you should do is remove the ldap
module from the authenticate
section, and make sure you activate the mschap
module in both the authorize
and the authenticate
section. What will happen is that the mschap
module will take care of authentication using the NT-Password
attribute which is retrieved from the LDAP server during the authorize
phase.
Here is what your sites-enabled/default
file should look like (without all the comments):
...
authorize {
preprocess
suffix
eap {
ok = return
}
expiration
logintime
}
authenticate {
eap
}
...
And here is what your sites-enabled/inner-tunnel
file should look like:
...
authorize {
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
expiration
logintime
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
...
What about the 'No "known good" password' warning?
Well, you can safely ignore it. It's just there because the ldap
module could not find a UserPassword
attribute when it fetched the user details from the LDAP server during the authorize
phase. In your case, you have the NT-Password
attribute, and that's perfectly fine for PEAP/MS-CHAP-v2
authentication.
I guess the warning exists because when the ldap
module was designed, PEAP/MS-CHAP-v2
did not exist yet, so the only thing that seemed to make sense at the time was to retrieve the UserPassword attribute from the LDAP server, in order to use PAP, CHAP, EAP/MD5 or such authentication methods.
Best Answer
What you're talking about is something we do in several Customer sites (including a school District who appears to be doing exactly what you want).
This isn't a click-for-click guide, but if you don't mind playing around with the tools a bit I think you'll find they're fairly self-explanatory.
The IAS server will need a certificate installed as a pre-requisite to performing EAP. If you don't mind using a self-signed certificate (which we're doing everywhere w/ no major issues) you can install Microsoft's Certificate Authority and the IAS machine will request a certificate automatically (assuming the machine hosting IAS is joined to a domain in the forest with the Certificate Authority). Reading about the best practices suggested by Microsoft re: the Certificate Authority is a good idea (particularly the parts about what can't change after you create your CA), but if all you're using your CA for is EAP you could probably get away with decommissioning it and starting fresh if you ever needed to.
Once you've got a certificate installed in the IAS machine, you need to configure your RADIUS server to accept requests from your wireless access points (RADIUS clients). The Microsoft RADIUS server (at least in W2K3) isn't very good about handling DNS lookup failures effectively, so, much as I hate to say it, I'd recommend using the IP addresses of the APs when creating the RADIUS client entries on the IAS server. The "shared secret" is the value that the RADIUS client (the AP) uses to authenticate to the RADIUS server (IAS). Be sure that you enter it identically on both the AP and the IAS server.
You'll need to create a remote access policy on the IAS machine after you've defined your APs as RADIUS clients. The built-in wizard can do a good job of creating a policy for you. Basically, you want a policy that matches "Wireless - IEEE 802.11 OR Wireless - Other" and, if so desired, a specific Windows group containing users who will be granted access (like, say "Domain Computers" or "Domain Users"). The wizard can guide you thorough this process.
Once you've gotten the policy created you can attempt to connect from a client manually. I'm only discussing configuring the Windows built-in Wireless Zero Configuration (ha!) service here. If your WLAN NIC has a third-party configuration manager and you can get away with removing it I would. Using the built-in Windows service makes the odds of getting the NIC to come up and authenticate properly during boot (assuming you allow "Domain Computers" access in your RADIUS policy) much greater. (I can tell you that I have a large number of wireless clients at my school district site that never plug into wired Ethernet but are able to process group policy, etc, with no problems.)
The procedure varies a bit between Windows XP and Windows Vista / 7, but basically we're talking about going to the list of wireless networks, adding the SSID of the new WPA-RADIUS protected network (remove the old one if you're re-using your existing SSID), and making sure some properties are set properly. The "Network Authentication" should be set to whatever combination of WPA/WPA2 and AES/TKIP you configured on your AP. (Personally, I'd use WPA2-AES if you can, but WPA-TKIP is the lowest common denominator and is supported by older clients.)
In the authentication properties for the new SSID, be sure that "Protected EAP (PEAP)" is selected as the EAP type. If the client isn't a member of your domain, go to the the "Properties" dialog for PEAP, uncheck "Validate server certificate", go to the "Configured" dialog for "Select authentication method" and uncheck the "Automatically use my Windows logon name and password (and domain if any)", and uncheck the "Authenticate as computer when computer information is available" under the "Authentication" properties of the new SSID. This will force Windows to prompt you for credentials on a non-domain-member computer.
Once you get a client "talking" I'd recommend deploying the SSID's settings using group policy so that you don't have to "touch" any clients. I love this functionality and have used it in many sites to great success. As long as the new domain-member client computer is allowed to apply group policy once on a wired network it will "just work" once it's put in range of the wireless network. Nirvana!
For non-Windows devices (iPods, Linux netbooks, Android phones, etc) you'll have to work thru the configuration of the connection yourself. It's not too bad, though. We've got a variety of devices authenticating to WLANs configured in this manner just fine.
Edit:
On non-domain-member computers you'll want to untick the items I describe in my above to prevent the client from validating the server certificate and trying to authenticate automatically. The user will have to manually supply their credentials.
In terms of automatically deploying the configuration profile to non-domain-member clients you can use the "netsh wlan" command on Windows Vista and Windows 7.
On Windows XP, deploying WLAN configuration without Group Policy is really similar to Vista, but requires installing software.