On Jun 13, 2018, at 5:59 PM, Seth Lampman <sethklampman@gmail.com> wrote:
I am trying to figure out if what i want to do is possible. I work for a VPN vendor. We support device auth as well as user auth. User auth is always required no matter what. I have a customer that wants device auth only using eap-tls. No issues this works fine. They want to disable user auth and user only device certificate auth which we do not support.
Adding certificate authentication shouldn't be that hard...
I want to bascially be able to accept all user auth requests presented to the radius server which would in effect give them what they want.
That's really impossible in most EAP methods.
I know that with eap\mschapv2 (we dont support lesser protocols) you cannot have auto accept all requests due to mutual auth required.
Yes.
My thought was to create a default user in freeradius and then update user-name and user-password to the deafult user. So joe tries to authenticate and unlang rewrites joe to default user. And rewrites joes password to default user password. Auth succeeds.
That doesn't work. The mutual authentication is mutual between the end user system (i.e. Joe), and FreeRADIUS. You can re-write things in FreeRADIUS however you want, and it won't matter. The end user system will reject the response from FreeRADIUS. That's what *mutual* auth means. *Both* ends have to agree. You can't just mangle one end and expect it to work.
Ive researched the forums and i think i need to do this on the outer tunnel as well as the inner tunnel? I cant find anything that is clear on that.
If someone could point me in the right direction and let me know if i am on the right track?
It's impossible. Alan DeKok.