Andy Theuninck <gohanman@gmail.com> writes:
I'm trying to set up freeradius to handle WPA authentication on my network. I've managed to get the AP & radius servers talking to one another and the SSL certificates loaded and configured, but I can't figure out how to get the username & passwords checked against the local /etc/shadow file. Free radius version is 1.1.3, latest binary provided by my version of CentOS.
Well, I guess you aøready know this but you should really get something newer...
The client attempting to connect is Mac OS X 10.4. In a perfect world, I'd like to support both OS X and Windows XP with names & passwords checked against /etc/shadow.
I think that might be difficult. Windows will want to use mschap, which requires a cleartext password. Everything is working just as it should this far:
modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 3
But then it fails, as you don't have any Cleartext-Password (aka "User-Password" in FreeRADIUS 1.x language):
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for andy with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 3 modcall: leaving group MS-CHAP (returns reject) for request 3 auth: Failed to validate the user.
The easiest would be to just forget /etc/shadow and configure cleartext passwords for your WPA users. You might try some inner authentication module supporting encrypted passwords (PAP?) but I don't know if that'd ever work with Windows... Bjørn