FreeRadius, Eduroam, and me...

Tim Young Tim.Young at
Mon Jun 22 21:37:08 CEST 2020

Sorry for not giving all the details...

This comes from "eduvpn."  ( Apparently it is an openvpn 
based system.  When I start the VPN, and select "KNET" it takes me to a 
sign-in webpage that "authenticates off of eduroam" creates some form of 

When I type my credentials into the above webpage, I do get the 
plaintext username / password.

I do not know what else they are doing, but I know they have other sites 
that successfully authenticate against a mysql database.  They do not 
have a config that successfully authenticates off of Active Directory 
(which is what the school I am helping with is trying to set up).

We can probably assume it is not running "proper eduroam."  My question 
is, then, can I get something that passes in the depressingly insecure 
username/password combo to authenticate off Active Directory, or is it a 
lost cause?  Do I need to complain loudly that they need to change the 
auth type to something else? (but whatever they use will need to 
authenticate off of a mysql back-end also)

     - Tim

On 6/22/2020 2:05 PM, Alan Buxey wrote:
> hi,
>> but still have some issues.   I am now testing through an eduroam
>> web-sign-in, where the actual main requests will come from.  It appears
> there is no such thing as eduroam web sign-in. captive portal eduroam
> was killed off back
> in the early days - pre 2012
> are you talking about a site you have access to that allows some sort
> of testing functionality
> in your NRO (is that SAFIRE per chance?) - if so, it should not be
> using PAP , it should
> be using at least a PEAP mechanism (ideally it would support any EAP
> type supported
> by the home organisation so ensure the home org can test its users
> behaviour remotely).
> (as said in previous reply, your RADIUS server should be configured to
> drop incoming
> requests if they are not EAP
>>        require_message_authenticator = no
> and set those to 'yes' in your clients.conf
>> (1)   User-Name = "mytextusername at"
>> (1)   User-Password = "mypassinplaintext"
> not an EAP request - so it wont get to your inner-server config
> (which , being from outside world should
> be a rather plain inner-server that doesnt do things like VLAN
> assignment based on groups etc etc)
> alan
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list