FreeRADIUS/pam_radius

EAP-TLS support

mlnx-omrigi opened this issue · 5 comments

Hi,
Do you plan to add EAP-TLS or PEAP support to this module?
If no, do you know any tool that can be used as RADIUS EAP-TLS clinet?

Thanks,
Omri.

No and no. Your best bet would probably be writing a wrapper script around eapol_test (part of hostapd/wpa_supplicant) and then calling that from a PAM module.

Just hint for others who will find this issue when trying to use PAM&Radius with some EAP protocol (EAP-TTLS in our case). In the end we resolved it per @arr2036 suggestion and created following PAM wrapper around wpa_supplicant eapol_test (wrapper can be surely improved, but take it just as an example)

#!/bin/bash

# Read password from stdin
read -r PASS

# PAM_USER exposed by pam_exec as env variable
USER="$PAM_USER"

# Fail on any error
set -e

# Generate eapol_test config file
CONF=$(mktemp /tmp/eapol.XXXXXX)

function cleanup() {
  rm -f "$CONF"
}
trap cleanup EXIT

cat > "$CONF" <<EOF
network={
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="$USER"
        password="$PASS"
        ca_cert="PATH_TO_CA_CERT"
        phase2="auth=PAP"
}
EOF

/sbin/eapol_test -c "$CONF" -a $(dig +short RADIUS_SERVER_HOSTNAME) -s RADIUS_SECRET

with following line in PAM config:

...
auth sufficient pam_exec.so expose_authtok /usr/local/bin/eapol_test_pamwrap.sh
...

@vonsch thanks for the great script, just for layman we can just create this script and called it as above or we need to manually compile or add some tls functionality in this pam_radius module ? please guide.

Thanks

vonsch commented

@muzammel111 in our environment, we didn't have to compile anything, it's simple bash script. The only one requirement is that wpa_supplicant (which provides /sbin/eapol_test binary) supports needed protocols. With the script, pam_radius isn't needed at all and thus no modifications/compilation needed ;)

Thank you @vonsch :)