On Jan 30, 2019, at 10:53 AM, Ben Tyson <btysonnorrman@gmail.com> wrote:
REPOST FROM STACK EXCHANGE.
IS THAT NECESSARY?
Version of FreeRadius:Latest from Download Operating System: ARM (raspberry PI) or Linux (can be switched, as needed)
I'm trying to create an open WPA2-EAP wireless network. Yes, I know that's a contradiction in terms, but bear with me.
It's pretty much designed to be impossible.
We need client separation, rather than authentication - so need the WPA2-EAP facilities, without authentication users.
Windows 7 & 10 clients and DD-wrt as the wireless access point
**Note the windows clients do not have admin rights, so I can't install client and CA certs on them**
Then you can't do it.
It is possible to tell FreeRadius to accept all, by using DEFAULT Auth-Type = Accept - however that just returns an authorised to the access point - and doesn't return a MSCHAPv2-Successful, so the client can connect to the network, but then doesn't get the correct response to continue, so keeps on trying to authenticate.
Exactly.
Does anyone know if there is a way of forcing the MSCHAP module to return authorised (e.g. a debugging mode) - or would it be reasonable to strip the module, so that it always returns Successful.
That's not how it works. The Wifi clients encrypt each packet with a secret key. That key is derived but the Wifi client && the RADIUS server from a successful authentication. The RADIUS server sends the keys to the access point. Without a successful authentication, there is nothing to derived. You can't just invent a key and send it to the AP. The WiFi client will see that authentication hasn't succeeded, and will refuse to connect.
Any other thoughts, gratefully received, but note: anything that involves going hands on with the clients won't work.
What you want to do is impossible. It was *designed* to be impossible to do. Your options are: a) install something on the client (certs, WiFi config) b) have an open WiFi network, and rely on a captive portal to control access c) have no WiFi network That is all. Alan DeKok.