Sorry for not giving all the details... This comes from "eduvpn." (app.eduvpn.org) Apparently it is an openvpn based system. When I start the VPN, and select "KNET" it takes me to a sign-in webpage that "authenticates off of eduroam" creates some form of token: https://controller.eduroam.ke/vpn-user-portal/_form/auth/verify When I type my credentials into the above webpage, I do get the plaintext username / password. I do not know what else they are doing, but I know they have other sites that successfully authenticate against a mysql database. They do not have a config that successfully authenticates off of Active Directory (which is what the school I am helping with is trying to set up). We can probably assume it is not running "proper eduroam." My question is, then, can I get something that passes in the depressingly insecure username/password combo to authenticate off Active Directory, or is it a lost cause? Do I need to complain loudly that they need to change the auth type to something else? (but whatever they use will need to authenticate off of a mysql back-end also) - Tim On 6/22/2020 2:05 PM, Alan Buxey wrote:
hi,
but still have some issues. I am now testing through an eduroam web-sign-in, where the actual main requests will come from. It appears
there is no such thing as eduroam web sign-in. captive portal eduroam was killed off back in the early days - pre 2012
are you talking about a site you have access to that allows some sort of testing functionality in your NRO (is that SAFIRE per chance?) - if so, it should not be using PAP , it should be using at least a PEAP mechanism (ideally it would support any EAP type supported by the home organisation so ensure the home org can test its users behaviour remotely). (as said in previous reply, your RADIUS server should be configured to drop incoming requests if they are not EAP
require_message_authenticator = no
and set those to 'yes' in your clients.conf
(1) User-Name = "mytextusername@my.domain.edu" (1) User-Password = "mypassinplaintext" not an EAP request - so it wont get to your inner-server config (which , being from outside world should be a rather plain inner-server that doesnt do things like VLAN assignment based on groups etc etc)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html