Captive portal: can I use chap or pap in conjunction with ntlm_auth?

john lists.john at gmail.com
Wed Jul 29 00:16:22 CEST 2009 

Hi all,

I am trying to get a captive portal working so my wireless users can
enter their Windows domain credentials and get internet access.

I've been working with chilispot/hotspotlogin.cgi and/or Copspot (an
implementation of chilispot for IPCOP) both of which try to do CHAP
with freeradius. Chili can also just hand a clear text password
through. Either approach works fine if I put users in the users file,
however I can't get this to work with my AD backend. NTLM auth does
work if I use WPA2, however I am trying to push users through a TOS
splash page and validate their domain credentials.

I hope someone can help me figure out this out.

Thanks!

John

Here's the output of from my attempts to authenticate:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/freeradius/freeradius.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.114.0.39 port 32772,
id=0, length=216
	User-Name = "flyboy"
	CHAP-Challenge = 0xd4a3fb75001e61f38b8216844306287c
	CHAP-Password = 0x00fcd3e064aa8829713fc8263c5b7e8303
	NAS-IP-Address = 0.0.0.0
	Service-Type = Login-User
	Framed-IP-Address = 192.168.182.8
	Calling-Station-Id = "00-21-5C-15-6D-8B"
	Called-Station-Id = "00-50-DA-1A-EF-77"
	NAS-Identifier = "nas01"
	Acct-Session-Id = "4a6f716d00000000"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 0
	Message-Authenticator = 0x452e7d3ec37b78ce9dc2d08eb447f6c9
	WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "flyboy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "flyboy" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> flyboy
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 10.114.0.39 port 32772
Waking up in 4.9 seconds

More information about the Freeradius-Users mailing list