EAP (PEAP)+ntlm_auth doesn't send password by it self

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Tue Mar 23 10:39:52 CET 2010


> > you still havent fixed that basic thing - check out the default config from
> > the 2.1.8 tarball
> Today I tried unsuccessful to figure out how solve the ":-" issue. I read "man unlang" but I could not find anything...

just read your version and compare it to the supplied default config in 2.1.8
- its quite easy - its the addition of some more curly brackets

> I have been thinking it could be by a wrong configuration of the Cisco AP 1100. I will follow the instructions described at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c40b6.shtml#NetEAP

you need 'open' with with EAP methods...on a 'fat' AP this is something like

dot11 ssid real-wifi
   vlan 666
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa
   accounting accounting-method-list
   mbssid guest-mode dtim-period 3
   information-element ssidl advertisement wps

> However, I just want to do transparent authentications using PEAP with Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2 without certificates (have you a recipe?)(http://cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764f1_ps4570_Products_Q_and_A_Item.html)

you need certificates - how do you think the EAP is done? the PEAP tunnel is created by the client
talking to the (RADIUS) server. you dont need client certs....thats EAP-TLS. if you dont want to trust
the certificate (ie install the CA that signs the RADIUS server) then thats you (very very bad) choice.
you've just weakened massively one of the protection methods of 802.1X


More information about the Freeradius-Users mailing list