OD -> RADIUS -> WiFi

Hi all, I'm setting up a wireless network where users use login details provided by OpenDirectory + certificate. The goal is that user of the WIFI network must provide certificate and username with password. If the user is disabled in OD (via WGM - access account thick box), user must not access the network. My setup: OSX 10.4.8 Server, OpenDirectory, freeRADIUS, ZyWall 35 with WiFi AP using WPA Ent. Clients: 99.9% Mac OSX 10.4.8 I got all setup, freeRADIUS 1.1.3 runnning, certificates, but I can't get the freeRADIUS to check the user password from OD. Using radtest, I have no problems: ------- Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = "12345" User-Password = "12345" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=123, length=20 ------- How ever, when a client from WiFi logs in, username and certificate are the only criteria which are checked to grant access. If you can help, please read the debug dump below. It seems that RADIUS has managed to decrypt the password and adds it to checklist: rlm_ldap: Added password ******** in check items ... but then the access is granted anyway ... doesn't matter what you write in the password :-( To achieve my goals, am I using the correct method (EAP-TLS)? When using unecrypted connection, I can clearly see the password attribute, but that defeats the whole purpose of WPA ... I hope you guys don't mind that I dumped bits of my log & conf into this forum, I'm getting very frustrated ... I have already added userPassword as User-Password ... RADIUS reply to connection using certificate: ------- rad_recv: Access-Request packet from host 192.168.1.1:1131, id=16, length=144 User-Name = "12345" NAS-IP-Address = 192.168.1.1 NAS-Identifier = "zywall" Framed-MTU = 1496 Called-Station-Id = "00-11-22-33-44-55-66-77:Test Test" Calling-Station-Id = "00-11-22-33-44-55" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00060d00 State = 0xa5e4df76eacd676aa056b162e018e148 Message-Authenticator = 0x55082c87332500d61cb52cd8ca640361 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 rlm_eap: EAP packet type response id 11 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for 12345 radius_xlat: '(uid=12345)' radius_xlat: 'dc=st,dc=ln' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=st,dc=ln, with filter (uid=12345) rlm_ldap: checking if remote access for 12345 is allowed by uid rlm_ldap: Added password ******** in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value ******** & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 12345 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 9 modcall: leaving group authenticate (returns ok) for request 9 Sending Access-Accept of id 16 to 192.168.1.1 port 1131 MS-MPPE-Recv-Key = 0x1e908975f56513420942c8e6680139f19ebf58ee76c2c13a2315873f5ca1c6cf MS-MPPE-Send-Key = 0xedddaafac5513c090db385d154acfe8d19c5b7e542b264e1c6974850faddb2a6 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "12345" Finished request 9 --------- From radiusd.conf: --------- ldap { server = "192.168.1.2" basedn = "dc=st,dc=ln" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap password_attribute = userPassword } authorize { eap ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } ------ I have also added "checkItem User-Password userPassword" to ldap.attrmap. Please please help, many thanks in advance!!!! Stepan