On 2013-07-09 at 10:18, Matthew Newton (mcn4@leicester.ac.uk) wrote:
Julian,
On Mon, Jul 08, 2013 at 03:10:31PM -0700, Julian Macassey wrote:
I'm just trying to do a bog standard username and password for OS X and Linux users on laptops - Plus the ubiquitous smartphones of course. I have no Microsoft gear on the LAN.
Try adding the following to the *top* of your users file:
evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0
When I use the users file, it works. In fact, every possible auth protocol works: The line you have above does work. But, that's when I have the user in the users file. When I comment it out so I can use the /etc/password file - Nothing radtest evergreen Y0V2T2VAKI 127.0.0.1:18120 0 d1sc0verplum Which tests the inner tunnel works using: radtest -t mschap evergreen Y0V2T2VAKI 127.0.0.1:18120 0 d1sc0verplum And every -t option (-t pap/chap/mschap/eap-md5) works. It also works with every port 1812 too: radtest -t mschap evergreen Y0V2T2VAKI 127.0.0.1 0 d1sc0verplum And, here's the proof, with the line: evergreen Cleartext-Password := "Y0V2T2VAKI" in users I can connect to the WiFi router with a Macbook and an iPhone.
...
your client is set to do PEAP/EAP-MSCHAPv2 - which is what most things (including Windows) will do by default. It can't auth against /etc/passwd, but it can if it knows the cleartext password as shown above.
But, it needs to auth against /etc/password rather than put every damn user into /etc/freeradius/users. Then if I give someone a username and password on my server, freeradius will let them use the WiFi too with no hassles.
This is the EAP-MSCHAPv2 bit (inside the PEAP inner tunnel) telling you it's got no cleartext password or NTLM hash, so it can't authenticate the user.
Given a cleartext password as above, you should be good to go.
Yup, works like a charm with the username password in users. That would be ideal at home, where it is just my wife and I and maybe a "guest" login for friends and relations. I will persevere. I have seen that in the 1.* release there was an "Auth-Type System", which was for system username password. Thanks for the help.