Change PEAP user-name and user-password

Alan DeKok aland at
Thu Jun 14 00:03:21 CEST 2018

On Jun 13, 2018, at 5:59 PM, Seth Lampman <sethklampman at> wrote:
> I am trying to figure out if what i want to do is possible.  I work for a
> VPN vendor. We support device auth as well as user auth. User auth is
> always required no matter what.  I have a customer that wants device auth
> only using eap-tls.  No issues this works fine.  They want to disable user
> auth and user only device certificate auth which we do not support.

  Adding certificate authentication shouldn't be that hard...

>  I want
> to bascially be able to accept all user auth requests presented to the
> radius server which would in effect give them what they want.

  That's really impossible in most EAP methods.

> I know that with eap\mschapv2 (we dont support lesser protocols) you cannot
> have auto accept all requests due to mutual auth required.


>  My thought was
> to create a default user in freeradius and then update user-name and
> user-password to the deafult user.  So joe tries to authenticate and unlang
> rewrites joe to default user. And rewrites joes password to default user
> password. Auth succeeds.

  That doesn't work.  The mutual authentication is mutual between the end user system (i.e. Joe), and FreeRADIUS.  You can re-write things in FreeRADIUS however you want, and it won't matter.  The end user system will reject the response from FreeRADIUS.

 That's what *mutual* auth means.  *Both* ends have to agree.  You can't just mangle one end and expect it to work.

> Ive researched the forums and i think i need to do this on the outer tunnel
> as well as the inner tunnel? I cant find anything that is clear on that.
> If someone could point me in the right direction and let me know if i am on
> the right track?

  It's impossible.

  Alan DeKok.

More information about the Freeradius-Users mailing list