Integration with CISCO Router for PEAP requests

Andras Ionut ionut.andras at gmail.com
Thu Aug 30 12:12:43 CEST 2012


Thanks a lot for the quick answer Arran.

That is exactly wahat I need - sending an Access-Accept and maybe
EAP-Success if possible. I don't care if the device will not connect.
I only need Access-Accept in order for the CISCO router to assign an
IP to the client and redirect it to portal using L4_Redirect.

Can this be done? If yes, can you please be more explicit on how to do
this in freeradius?

Thanks in advance,
Andras



----------------------------------------------------------


On 30 Aug 2012, at 09:40, Andras Ionut <ionut.andras at gmail.com> wrote:

> How can I configure FreeRADIUS to work with a CISCO Router and a
> captive portal in the following case...
>
> 1. User tries to access WiFi network with good user and wrong password
> 2. FreeRADIUS should send Access-Accept with Filter-Id set to portal
> redirect policy and not Access-Reject
> 3. User is presented login page, bla, bla, bla
>
> My problem is that i have to send an Access-Accept on failed login for
> PEAP (For TTLS I've managed to do it from config, but this is another
> story)

You can't fake an Accept that the PEAP supplicant will accept because
MSCHAPv2 requires that you actually provide the correct credentials.
You can send an Access-Accept back to the access point, and even force
an EAP-Success but the supplicant will probably refuse to connect
because it only cares about the success notification from the MSCHAPv2
inner.

Your only option is to run a separate open ssid with something like macauth.

TTLS works because you're using a PAP inner method, and IIRC the
keying material for WPA2 is derived from the SSL tunnel which can be
estsblished without knowledge of the users password. If you tried
TTLS-MSCHAPv2 it would fail.

-Arran


More information about the Freeradius-Users mailing list