Hello List, Network Wired Project running here. Devices users authenticate successfully using peap/mschapV2 and ldap backend outer identity is configured as anonymous I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file - user is logged-in on device so that is real username is kown only by inner-tunnel - user isn't known by ldap (that's why I try with "users" file) - user's password may change so that I don't want to check it "users" entry looks like : myuser Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-ID = "407", Tmp-String-1 = "407" Tmp-String-1 is used by default/post-auth section as it : update reply { Tunnel-Private-Group-Id := "%{reply:Tmp-String-1}" } files module is enabled in inner tunnel/authorize My problem : I cant see "accept" during inner-tunnel (after authorize file module) (9) files: users: Matched entry myuser at line 99 (9) [files] = ok (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel but next challenge says (10) eap_peap: ERROR: We sent a success, but the client did not agree (10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed Il don't know what is the best way to achieve this. Any idea ? Thanks -- : *Cédric Delaunay * *Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information* *Admin Réseau / RSSI Suppléant * Tel. : +33 (0)2 23 23 8568 *INSA Rennes* 20 avenue des Buttes de Coêsmes CS 70839 - 35 708 RENNES Cedex 7 www.insa-rennes.fr <http://www.insa-rennes.fr/>
cedric Delaunay <cedric.delaunay@insa-rennes.fr> Wrote:
Devices users authenticate successfully using peap/mschapV2 and ldap backend outer identity is configured as anonymous
I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file user is logged-in on device so that is real username is kown only by inner-tunnel user isn't known by ldap (that's why I try with "users" file) user's password may change so that I don't want to check it
I believe MSCHAPv2 implies that there is mutual authentication so it is not just that the client proves it knows the password to the server, the server also proves (in a these days cryptographically broken way) to the client that it also knows the client's password. You'll probably have to switch to EAP-TTLS-PAP for this client. If you are lucky, you'll be able to keep PEAP-MSCHAPv2 as the first offered protocol and the client can be configured with EAP-TTLS-PAP and will do the correct negotiation. But if you are not, the client will have a buggy supplicant that won't negotiate properly, or (rather unlikely) the presence of the EAP-TTLS-PAP fallback will be noticed by other clients and cause some sort of issue. If this special client is stationary on the wired network and has lower security risk, it would probably be less trouble to set up mac auth bypass for it or use mac-based port security. If your MSCHAP is terminating in actual Microsoft AD servers or if you have been clever enough to export NT-Hashes out of AD and are using machine auth or "Use my Windows Credentials" settings on the client side, you should be aware of Microsoft's upcoming server-side deprecation of NTLM, but if I interpret what you described correctly, you are instead authing against non-AD crypts or plaintexts stored in LDAP so AFAIK Microsoft's client-side is going to continue to support that.
On Apr 1, 2026, at 11:22 AM, cedric Delaunay <cedric.delaunay@insa-rennes.fr> wrote:
I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file - user is logged-in on device so that is real username is kown only by inner-tunnel - user isn't known by ldap (that's why I try with "users" file) - user's password may change so that I don't want to check it
This allegedly works. It was posted to the list a while back. I haven't had a chance to test it in detail, or figure out exactly what Windows is doing with it. authorize { ... update { &control:SMB-Account-CTRL-TEXT := '[N]' &reply:MS-CHAP2-Success = 'password-free' } .. That allegedly works for MS-CHAP authentication. I've tried it with PEAP, and got nowhere. Alan DeKok.
Alan DeKok via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
On Apr 1, 2026, at 11:22 AM, cedric Delaunay <cedric.delaunay@insa-rennes.fr> wrote:
I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file - user is logged-in on device so that is real username is kown only by inner-tunnel - user isn't known by ldap (that's why I try with "users" file) - user's password may change so that I don't want to check it
This allegedly works. It was posted to the list a while back. I haven't had a chance to test it in detail, or figure out exactly what Windows is doing with it.
authorize { ... update { &control:SMB-Account-CTRL-TEXT := '[N]' &reply:MS-CHAP2-Success = 'password-free' } ..
That allegedly works for MS-CHAP authentication. I've tried it with PEAP, and got nowhere.
Hrm... well I hope not. Otherwise MS has made some evil twins pretty happy. If it isn't some leftover legacy thing then it'll be another "thousand cut" move in pursuit of their pipe dream of passwordless-everything, done with little to no regard for the realities of running an enterprise level BYOD network. Sigh, I'm getting sick of the bi-annual break-fix cycle at the mercy of major players' supplicant behaviors. Well... at least Android finally fixed their stuff.
Hello, Thanks for your answers, I will look at this as soon as possible Cédric -- Cédric Delaunay Equipe Infrastructures / Direction du Système d'Information RSSI Suppléant Tél. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coësmes CS 70839 - 35 708 RENNES Cedex 7 De: "Cedric Delaunay" <cedric.delaunay@insa-rennes.fr> À: freeradius-users@lists.freeradius.org Envoyé: Mercredi 1 Avril 2026 17:22:58 Objet: 802.1X - ldap AND users file Hello List, Network Wired Project running here. Devices users authenticate successfully using peap/mschapV2 and ldap backend outer identity is configured as anonymous I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file - user is logged-in on device so that is real username is kown only by inner-tunnel - user isn't known by ldap (that's why I try with "users" file) - user's password may change so that I don't want to check it "users" entry looks like : myuser Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-ID = "407", Tmp-String-1 = "407" Tmp-String-1 is used by default/post-auth section as it : update reply { Tunnel-Private-Group-Id := "%{reply:Tmp-String-1}" } files module is enabled in inner tunnel/authorize My problem : I cant see "accept" during inner-tunnel (after authorize file module) (9) files: users: Matched entry myuser at line 99 (9) [files] = ok (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel but next challenge says (10) eap_peap: ERROR: We sent a success, but the client did not agree (10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed Il don't know what is the best way to achieve this. Any idea ? Thanks -- : Cédric Delaunay Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information Admin Réseau / RSSI Suppléant Tel. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coêsmes CS 70839 - 35 708 RENNES Cedex 7 [ http://www.insa-rennes.fr/ | www.insa-rennes.fr ]
Hello, Unfortunately, I tried your proposals this morning with non success : I've got this error during last challenge : # prise en compte du compte myuser myuser Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-ID = "407", Tmp-String-1 = "407" innertunnel authorize { .... # # Read the 'users' file files if (&request:User-Name == "myuser") { update { # &Cleartext-Password = &request:User-Name &control:SMB-Account-CTRL-TEXT := '[N]' &reply:MS-CHAP2-Success = 'password-free' } } .... rlm_ldap (ldap): Reserved connection (0) (10) ldap: EXPAND (uid=%{mschap:User-Name}) (10) ldap: --> (uid=anonymous) (10) ldap: Performing search in "dc=insa-rennes,dc=fr" with filter "(uid=anonymous)", scope "sub" (10) ldap: Waiting for search result... (10) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) (10) [ldap] = notfound (10) [expiration] = noop (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap: Removing EAP session with state 0xf1f3b91af8dda0ab (10) eap: Previous EAP request found for state 0xf1f3b91af8dda0ab, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Client rejected our response. The password is probably incorrect (10) eap_peap: ERROR: We sent a success, but the client did not agree (10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (10) eap: Sending EAP Failure (code 4) ID 46 length 4 (10) eap: Failed in EAP select (10) [eap] = invalid (10) } # authenticate = invalid (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Post-Auth-Type REJECT { That's what Brian expected :( => server is ok but client don't Any other way to reach my goal ? Thanks -- Cédric Delaunay Equipe Infrastructures / Direction du Système d'Information RSSI Suppléant Tél. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coësmes CS 70839 - 35 708 RENNES Cedex 7 De: "Cedric Delaunay" <cedric.delaunay@insa-rennes.fr> À: "freeradius-users" <freeradius-users@lists.freeradius.org> Envoyé: Jeudi 2 Avril 2026 21:41:09 Objet: Re: 802.1X - ldap AND users file Hello, Thanks for your answers, I will look at this as soon as possible Cédric -- Cédric Delaunay Equipe Infrastructures / Direction du Système d'Information RSSI Suppléant Tél. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coësmes CS 70839 - 35 708 RENNES Cedex 7 De: "Cedric Delaunay" <cedric.delaunay@insa-rennes.fr> À: freeradius-users@lists.freeradius.org Envoyé: Mercredi 1 Avril 2026 17:22:58 Objet: 802.1X - ldap AND users file Hello List, Network Wired Project running here. Devices users authenticate successfully using peap/mschapV2 and ldap backend outer identity is configured as anonymous I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file - user is logged-in on device so that is real username is kown only by inner-tunnel - user isn't known by ldap (that's why I try with "users" file) - user's password may change so that I don't want to check it "users" entry looks like : myuser Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-ID = "407", Tmp-String-1 = "407" Tmp-String-1 is used by default/post-auth section as it : update reply { Tunnel-Private-Group-Id := "%{reply:Tmp-String-1}" } files module is enabled in inner tunnel/authorize My problem : I cant see "accept" during inner-tunnel (after authorize file module) (9) files: users: Matched entry myuser at line 99 (9) [files] = ok (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel but next challenge says (10) eap_peap: ERROR: We sent a success, but the client did not agree (10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed Il don't know what is the best way to achieve this. Any idea ? Thanks -- : Cédric Delaunay Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information Admin Réseau / RSSI Suppléant Tel. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coêsmes CS 70839 - 35 708 RENNES Cedex 7 [ http://www.insa-rennes.fr/ | www.insa-rennes.fr ]
Cedric Delaunay <cedric.delaunay@insa-rennes.f/r> wrote:
That's what Brian expected :( => server is ok but client don't Any other way to reach my goal ?
I don't know if this satisfies all your needs but if you create another username with a password that does not change a lot, you could set it up as an "All User" profile on that Windows machine such that the machine is using it essentially as a machine account, and remove any WiFi profiles that use the user account with the password that changes a lot. That account would be used only for WiFi not other SSO needs. However given what Microsoft is doing with Credential Guard and MCHAP, setting an MSCHAPv2 account up like this could get mucked up by that. If you set up an EAP-TLS or EAP-TTLS-PAP account as an "All User" you might be safer. That would require offering the second EAP method as a second fallback during EAP negotiation. For this specific host that could cause blips during roaming, but as long as the special EAP type is run as the second option the rest of the fleet will pick the first option and will not notice.
On Apr 10, 2026, at 7:50 AM, Cedric Delaunay <Cedric.Delaunay@insa-rennes.fr> wrote:
Unfortunately, I tried your proposals this morning with non success :
Oh well. :(
That's what Brian expected :( => server is ok but client don't Any other way to reach my goal ?
Use TTLS with PAP. Plus, you shouldn't really be using PEAP/MS-CHAP. Using that requires you to store clear-text passwords on disk. Which is very bad. PAP is substantially more secure, despite random nonsense articles you might find on the net. There will shortly be an RFC which explains this, and deprecates CHAP / MS-CHAP in favour of PAP. Alan DeKok.
participants (4)
-
Alan DeKok -
Brian Julin -
cedric Delaunay -
Cedric Delaunay