EAP-TLS support
mlnx-omrigi opened this issue · 5 comments
Hi,
Do you plan to add EAP-TLS or PEAP support to this module?
If no, do you know any tool that can be used as RADIUS EAP-TLS clinet?
Thanks,
Omri.
No and no. Your best bet would probably be writing a wrapper script around eapol_test (part of hostapd/wpa_supplicant) and then calling that from a PAM module.
Just hint for others who will find this issue when trying to use PAM&Radius with some EAP protocol (EAP-TTLS in our case). In the end we resolved it per @arr2036 suggestion and created following PAM wrapper around wpa_supplicant eapol_test
(wrapper can be surely improved, but take it just as an example)
#!/bin/bash
# Read password from stdin
read -r PASS
# PAM_USER exposed by pam_exec as env variable
USER="$PAM_USER"
# Fail on any error
set -e
# Generate eapol_test config file
CONF=$(mktemp /tmp/eapol.XXXXXX)
function cleanup() {
rm -f "$CONF"
}
trap cleanup EXIT
cat > "$CONF" <<EOF
network={
key_mgmt=WPA-EAP
eap=TTLS
identity="$USER"
password="$PASS"
ca_cert="PATH_TO_CA_CERT"
phase2="auth=PAP"
}
EOF
/sbin/eapol_test -c "$CONF" -a $(dig +short RADIUS_SERVER_HOSTNAME) -s RADIUS_SECRET
with following line in PAM config:
...
auth sufficient pam_exec.so expose_authtok /usr/local/bin/eapol_test_pamwrap.sh
...
@vonsch thanks for the great script, just for layman we can just create this script and called it as above or we need to manually compile or add some tls functionality in this pam_radius module ? please guide.
Thanks
@muzammel111 in our environment, we didn't have to compile anything, it's simple bash script. The only one requirement is that wpa_supplicant (which provides /sbin/eapol_test
binary) supports needed protocols. With the script, pam_radius isn't needed at all and thus no modifications/compilation needed ;)
Thank you @vonsch :)