Hello list, I'm trying to secure my wireless networks with RADIUS, so that any combination of username/password will let the user in. So far I tried to add this line to my `users` file: DEFAULT Auth-Type := Accept With radtest I could get a positive feedback, but when I wire up the RADIUS server with my wireless AP and try to connect (via EAP-TTLS/MSCHAPv2), no connection is established. This happens on both a TP-Link router with OpenWRT and an Ubiquity UniFy AP as access point. Here's the debug output of freeradius (excerpt, the full log is attached):
rad_recv: Access-Request packet from host 192.168.8.1 port 60199, id=16, length=190 User-Name = "foousername" Called-Station-Id = "C2-4A-00-6C-F1-53:use.any.password" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "E8-DE-27-1D-04-02" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "54EC901D-00000008" Framed-MTU = 1400 EAP-Message = 0x029f001001666f6f757365726e616d65 Message-Authenticator = 0xd8aca58525e34524e692e7a0d3f6eab9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [eap] EAP packet type response id 159 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 1 ++[files] = ok ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 16 to 192.168.8.1 port 60199 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 16 with timestamp +5
The "sites-enabled/default" config is pretty much untouched from installation. For me it seems like a successful user authorization? When running tcpdump on the access point, I only see the outgoing EAP package. I'm a bit clueless now... Greetings, Dominik