On Aug 5, 2020, at 4:48 AM, Kristian Faller <kristian.faller@remarkable.no> wrote:
Is it possible to specify which authentication mode and tunnel type are being used?
Yes and no. The client is the one which chooses a particular EAP type. But the server has to be configured to accept it.
If yes, what files do I need to modify in order to do this? I have tried reading the documentation and looking through some of the config files, but as a complete beginner at this, I'm not sure if I'm even looking in the right places.
mods-available/eap has full documentation. The default configuration is designed to work in as many situations as possible. So generally it's just add a "known good" name/password to the config, and most EAP types will work. I have a full guide on my site: http://deployingradius.com
Background: I work with software testing for reMarkable (we create an E ink tablet based on Linux), and we want to conduct more specified testing on WPA Enterprise (802.1X over Wi-Fi). At the moment we have done testing on our network gear which consists of Ubiquiti Unifi which only implements eap_peap with MSCHAPv2. While this is probably used for many companies all over the world, we would like to test other kinds of authentication and tunnel types, thus I started setting up FreeRadius on a Raspberry Pi 4, running Ubuntu 19.10 for IoT devices.
If you use wpa_supplicant, it will work everywhere, with everything.
Our tablet runs a flavor of Linux, using wpa_supplicant and should (in theory) be able to connect to most kinds of network. However, we know that certificate-based networks won't work at the moment due to not having a way to import licenses. However, I do believe there are other types of networks not needing certificates, and these are the ones we'd like to test.
EAP-TLS needs client certificates. Other EAP types (PEAP, TTLS) still need to have a CA certificate configured on the client.
I got FreeRadius up and running, but for every connection attempt, I can see from the output with "freeradius -X" that eap_peap and MSCHAPv2 are used. I want to be able to set specific (valid) values so that our company can implement and properly test the different variations of auth modes and tunnels.
See my web site. There are example configuration for eapol_test to test most EAP types. Alan DeKok.