Authenticate WPA enterprise from custom service
Hello, I am trying to authenticate wifi users by using WPA enterprise. So far I have a script in the module folder: exec checkuser { wait = yes input_pairs = request output_pairs = reply program = "/etc/raddb/check-user.php -log -debug '%{User-Name}' '%{User-Password}' '%{NAS-IP-Address}' '%{Called-Station-Id}' '%{Calling-Station-Id}' '%{Chap-Password}'" shell_escape = yes } Where I pass the username and password. The script does the rest. It works properly. In my site-enables/default in the authorize section as the last check I have this: update control { Auth-Type := CheckUser } When I test it by using: # radtest adnan myPassword localhost 0 testing123 I clearly get in my log: Found Auth-Type = CheckUser # Executing group from file /etc/raddb/sites-enabled/default +- entering group CheckUser {...} [checkuser] expand: '%{User-Name}' -> 'adnan' [checkuser] expand: '%{User-Password}' -> 'myPassword ' [checkuser] expand: '%{NAS-IP-Address}' -> '172.20.4.1' [checkuser] expand: '%{Called-Station-Id}' -> '' [checkuser] expand: '%{Calling-Station-Id}' -> '' [checkuser] expand: '%{Chap-Password}' -> '' And the value for password is shown in the %{User-Password} variable. So it is passed to my PHP script for further checks. But when I try to login from my Android device I do not get the password, it is empty. I am using the following settings on my Android device, MSCHAPV2, and adding the identity (my username) and password. Is it possible to get the password in plain text from the remote device? I am missing some concept here, is there another way of authentication for WPA enterprise? All help is much appreciated. Regards, Adnan
On Nov 27, 2014, at 9:57 AM, Adnan Miljkovic <adnan@green.ba> wrote:
But when I try to login from my Android device I do not get the password, it is empty. I am using the following settings on my Android device, MSCHAPV2, and adding the identity (my username) and password.
When you use MS-CHAP, there is *no* User-Password in the request.
Is it possible to get the password in plain text from the remote device? I am missing some concept here, is there another way of authentication for WPA enterprise?
FreeRADIUS implements MS-CHAP. You should pass the “known good” password to FreeRADIUS, instead of writing your own authentication software. It is *impossible* to get the User-Password from MS-CHAP. Alan DeKok.
participants (2)
-
Adnan Miljkovic -
Alan DeKok