Hello, Is there any way that freeradius act as WPA-PSK?? What i am trying to deploy is a wi-fi network with only one password that is changed every week. Right now I have a open wireless signal distributed over 20 wi-fi routers. This signal is used by all the clients of the hotel, so there is no way to distribute certificate to the clients. -- Paulo Marcon. -------------------------------------------------- “Não sabendo que era impossível, foi lá e fez.” Jean Cocteau --------------------------------------------------
Paulo wrote:
Is there any way that freeradius act as WPA-PSK?? What i am trying to deploy is a wi-fi network with only one password that is changed every week. Right now I have a open wireless signal distributed over 20 wi-fi routers. This signal is used by all the clients of the hotel, so there is no way to distribute certificate to the clients.
WPA2-Enterprise with PEAP authentication is automatically recognized by most new clients these days. The clients will prompt for a username and a password. If you generate an ntcrypt (by shelling out of FR to a utility to do so) for an inbound username/password on the RADIUS side from a known cleartext password on the fly, you can arrange things such that that password is accepted for any username. No certificate is required on the client side. The server will need a certificate signed by an authority that is already trusted by the clients ($$$). You can also abuse MS domain notation to select from a set of passwords for different groups, but that will require the users to correctly type a backslash, which can be asking a bit much for certain types of users. So yes, but there is no way to get rid of the username box in the login prompt, you just need to tell the users (when you give them the password) to enter something in the username box. Also without provisioning and distributing a client-side-verification profile, your users may be hijacked by an AP pretending to be one of yours, as long as it knows the password and has any valid cert; but this is the case with WPA2-PSK as well (worse, in fact, without the server-side certificate.)
On 28 November 2012 19:54, Brian Julin <BJulin@clarku.edu> wrote:
WPA2-Enterprise with PEAP authentication is automatically recognized by most new clients these days. The clients will prompt for a username and a password. If you generate an ntcrypt (by shelling out of FR to a utility to do so) for an inbound username/password on the RADIUS side from a known cleartext password on the fly, you can arrange things such that that password is accepted for any username.
Hi Brian, Slightly tangential to the original question. But if you want to implement as per this suggestion, why do you need the external ntcrypt script. All that functionality is built in, just do this: server INNER-eap { authorize { ... update control { Cleartext-Password := 'thePassword' MS-CHAP-Use-NTLM-Auth := 0 } ... } ... } Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk --
James JJ Hooper wrote:
WPA2-Enterprise with PEAP authentication is automatically recognized by most new clients these days. The clients will prompt for a username and a password. If you generate an ntcrypt (by shelling out of FR to a utility to do so) for an inbound username/password on the RADIUS side from a known cleartext password on the fly, you can arrange things such that that password is accepted for any username.
Hi Brian, Slightly tangential to the original question. But if you want to implement as per this suggestion, why do you need the external ntcrypt script. All that functionality is built in, just do this:
You don't, unless you want to do something like telling people to enter "usernameBLAH" as their password. Sorry, I was mincing scenarios.
participants (3)
-
Brian Julin -
James JJ Hooper -
Paulo