RADIUS & PEAP

Josh Howlett Josh.Howlett at ja.net
Tue Jul 3 23:00:29 CEST 2007


What you're attempting to do is impossible because MS-CHAP is a mutual
authentication protocol. If the RADIUS server does not demonstrate
knowledge of the password to the supplicant, a well-behaved the
supplicant *should* refuse the connection.

(I also wouldn't be surprised if the RADIUS server barfs because it
can't get a valid user-password in order to construct the authentication
response but I can't comment authoritatively on this).

Finally, you can't authenticate MS-CHAP against /etc/passwd or
/etc/shadow; MS-CHAP requires access to the cleartext password or its
NTLM hash.

josh.

> -----Original Message-----
> From: 
> freeradius-users-bounces+josh.howlett=ja.net at lists.freeradius.
> org 
> [mailto:freeradius-users-bounces+josh.howlett=ja.net at lists.fre
eradius.org] On Behalf Of Adrienne Rau
> Sent: 03 July 2007 19:30
> To: freeradius-users at lists.freeradius.org
> Subject: RADIUS & PEAP
> 
> I am configuring a wireless network with EAP Authentication.  
> I can connect successfully with the following line in my users file.
> 
> testuser User-Password == "testing"
> 
> I would like to be able to authenticate with ANY password.  I 
> tried using the "!=" operand, but that causes an MS-CHAP 
> incorrect response error.  Is there any way to make EAP 
> authenticate with any password.  If not, how can I have it 
> authenticate against the /etc/passwd and /etc/shadow files?
> 
> Thank you for your help,
> Adrienne Rau
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list