Integration with CISCO Router for PEAP requests
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Aug 30 11:32:00 CEST 2012
On 30 Aug 2012, at 09:40, Andras Ionut <ionut.andras at gmail.com> wrote:
> How can I configure FreeRADIUS to work with a CISCO Router and a
> captive portal in the following case...
>
> 1. User tries to access WiFi network with good user and wrong password
> 2. FreeRADIUS should send Access-Accept with Filter-Id set to portal
> redirect policy and not Access-Reject
> 3. User is presented login page, bla, bla, bla
>
> My problem is that i have to send an Access-Accept on failed login for
> PEAP (For TTLS I've managed to do it from config, but this is another
> story)
You can't fake an Accept that the PEAP supplicant will accept because MSCHAPv2 requires that you actually provide the correct credentials. You can send an Access-Accept back to the access point, and even force an EAP-Success but the supplicant will probably refuse to connect because it only cares about the success notification from the MSCHAPv2 inner.
Your only option is to run a separate open ssid with something like macauth.
TTLS works because you're using a PAP inner method, and IIRC the keying material for WPA2 is derived from the SSL tunnel which can be estsblished without knowledge of the users password. If you tried TTLS-MSCHAPv2 it would fail.
-Arran
More information about the Freeradius-Users
mailing list