Authenticate WPA enterprise from custom service
Adnan Miljkovic
adnan at green.ba
Thu Nov 27 15:57:33 CET 2014
Hello,
I am trying to authenticate wifi users by using WPA enterprise.
So far I have a script in the module folder:
exec checkuser {
wait = yes
input_pairs = request
output_pairs = reply
program = "/etc/raddb/check-user.php -log -debug '%{User-Name}'
'%{User-Password}' '%{NAS-IP-Address}' '%{Called-Station-Id}'
'%{Calling-Station-Id}' '%{Chap-Password}'"
shell_escape = yes
}
Where I pass the username and password. The script does the rest. It works
properly.
In my site-enables/default in the authorize section as the last check I
have this:
update control {
Auth-Type := CheckUser
}
When I test it by using:
# radtest adnan myPassword localhost 0 testing123
I clearly get in my log:
Found Auth-Type = CheckUser
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CheckUser {...}
[checkuser] expand: '%{User-Name}' -> 'adnan'
[checkuser] expand: '%{User-Password}' -> 'myPassword '
[checkuser] expand: '%{NAS-IP-Address}' -> '172.20.4.1'
[checkuser] expand: '%{Called-Station-Id}' -> ''
[checkuser] expand: '%{Calling-Station-Id}' -> ''
[checkuser] expand: '%{Chap-Password}' -> ''
And the value for password is shown in the %{User-Password} variable. So it
is passed to my PHP script for further checks.
But when I try to login from my Android device I do not get the password,
it is empty. I am using the following settings on my Android device,
MSCHAPV2, and adding the identity (my username) and password.
Is it possible to get the password in plain text from the remote device? I
am missing some concept here, is there another way of authentication for
WPA enterprise?
All help is much appreciated.
Regards,
Adnan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141127/e0d5c68c/attachment.html>
More information about the Freeradius-Users
mailing list