(Sorry for the late response. I was tinkering with other aspects of the network and have just re-started with the FR integration.)
I'm trying to secure my wireless networks with RADIUS, so that any combination of username/password will let the user in.
That isn’t very secure.
Oh, I'm targeting for transport encryption, the net should be open for everyone. I just don't want unencrypted Wifi packages flying over the air and make it easy for blackhats to read these... I thought a WPA2/Enterprise encrypted Wifi connection backed by an FR server using proper certificates would be a good idea, wouldn't it?
So far I tried to add this line to my `users` file:
DEFAULT Auth-Type := Accept
That won’t work.
With radtest I could get a positive feedback, but when I wire up the RADIUS server with my wireless AP and try to connect (via EAP-TTLS/MSCHAPv2), no connection is established.
Exactly.
MS-CHAPv2 *requires* that the server know the users correct password.
Yeah, I thought so, too. Looks like I need a predefined set of valid credentials for my Windows clients... I need to communicate some information anyway, I think I can include some username/passwords as well.
You need to do two things:
1) configure the clients to use TTLS/PAP instead of MS-CHAP
2) update the “users” file entry to say:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept
Then TTLS/PAP should work. Nothing else will work, though.
Is there anything else I need to configure? Using those two settings gives me this:
# radtest -t pap foobar snafu localhost 10 testing123 Sending Access-Request of id 222 to 127.0.0.1 port 1812 User-Name = "foobar" User-Password = "snafu" NAS-IP-Address = 127.0.1.1 NAS-Port = 10 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=20
And in the server log:
rad_recv: Access-Request packet from host 127.0.0.1 port 45876, id=0, length=120 User-Name = "foobar" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000b01666f6f626172 Message-Authenticator = 0xb3ca17f074559f077c154b1f72006a21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop ++update control { ++} # update control = noop +} # group authorize = updated Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 0 to 127.0.0.1 port 45876
Although an Access-Accept is transmitted, the warning "no 'known good' password found for the user" makes me worry, I didn't understand a central part of FR... When I try to connect a Wifi client to a NAS speaking to the server running above, I'll get the same output (an no connection). I think tomorrow I will start to fiddle with wpa_supplicant's eapol_test. Thanks so far, Dominik