Re: RADIUS & PEAP

If your using the Windows supplicant (which nearly everyone is, despite it's nastyness), and want passwordless authentication using EAP, your only other solution is to set up local PKI (public key infrastructure), and start issuing client certificates, and use EAP-PEAP-TLS (Microsofts version of EAP TLS). 
What you're attempting to do is impossible because MS-CHAP is a mutual
authentication protocol. If the RADIUS server does not demonstrate
knowledge of the password to the supplicant, a well-behaved the
supplicant *should* refuse the connection.

(I also wouldn't be surprised if the RADIUS server barfs because it
can't get a valid user-password in order to construct the authentication
response but I can't comment authoritatively on this).

Finally, you can't authenticate MS-CHAP against /etc/passwd or
/etc/shadow; MS-CHAP requires access to the cleartext password or its
NTLM hash.

josh.


-----Original Message-----
From: freeradius-users-bounces+josh.howlett=ja.net@lists.freeradius. org [mailto:freeradius-users-bounces+josh.howlett=ja.net@lists.fre 
eradius.org] On Behalf Of Adrienne Rau

Sent: 03 July 2007 19:30
To: freeradius-users@lists.freeradius.org
Subject: RADIUS & PEAP
I am configuring a wireless network with EAP Authentication. I can connect successfully with the following line in my users file. 

testuser User-Password == "testing"
I would like to be able to authenticate with ANY password. I tried using the "!=" operand, but that causes an MS-CHAP incorrect response error. Is there any way to make EAP authenticate with any password. If not, how can I have it authenticate against the /etc/passwd and /etc/shadow files? 

Thank you for your help,
Adrienne Rau

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.