Change PEAP user-name and user-password
I am trying to figure out if what i want to do is possible. I work for a VPN vendor. We support device auth as well as user auth. User auth is always required no matter what. I have a customer that wants device auth only using eap-tls. No issues this works fine. They want to disable user auth and user only device certificate auth which we do not support. I want to bascially be able to accept all user auth requests presented to the radius server which would in effect give them what they want. I know that with eap\mschapv2 (we dont support lesser protocols) you cannot have auto accept all requests due to mutual auth required. My thought was to create a default user in freeradius and then update user-name and user-password to the deafult user. So joe tries to authenticate and unlang rewrites joe to default user. And rewrites joes password to default user password. Auth succeeds. Ive researched the forums and i think i need to do this on the outer tunnel as well as the inner tunnel? I cant find anything that is clear on that. If someone could point me in the right direction and let me know if i am on the right track? Thanks
On Jun 13, 2018, at 5:59 PM, Seth Lampman <sethklampman@gmail.com> wrote:
I am trying to figure out if what i want to do is possible. I work for a VPN vendor. We support device auth as well as user auth. User auth is always required no matter what. I have a customer that wants device auth only using eap-tls. No issues this works fine. They want to disable user auth and user only device certificate auth which we do not support.
Adding certificate authentication shouldn't be that hard...
I want to bascially be able to accept all user auth requests presented to the radius server which would in effect give them what they want.
That's really impossible in most EAP methods.
I know that with eap\mschapv2 (we dont support lesser protocols) you cannot have auto accept all requests due to mutual auth required.
Yes.
My thought was to create a default user in freeradius and then update user-name and user-password to the deafult user. So joe tries to authenticate and unlang rewrites joe to default user. And rewrites joes password to default user password. Auth succeeds.
That doesn't work. The mutual authentication is mutual between the end user system (i.e. Joe), and FreeRADIUS. You can re-write things in FreeRADIUS however you want, and it won't matter. The end user system will reject the response from FreeRADIUS. That's what *mutual* auth means. *Both* ends have to agree. You can't just mangle one end and expect it to work.
Ive researched the forums and i think i need to do this on the outer tunnel as well as the inner tunnel? I cant find anything that is clear on that.
If someone could point me in the right direction and let me know if i am on the right track?
It's impossible. Alan DeKok.
Crap. I was hoping there would be a way to get FR to accept anything i threw at it. Thanks for your help On Wed, Jun 13, 2018, 6:03 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 13, 2018, at 5:59 PM, Seth Lampman <sethklampman@gmail.com> wrote:
I am trying to figure out if what i want to do is possible. I work for a VPN vendor. We support device auth as well as user auth. User auth is always required no matter what. I have a customer that wants device auth only using eap-tls. No issues this works fine. They want to disable
user
auth and user only device certificate auth which we do not support.
Adding certificate authentication shouldn't be that hard...
I want to bascially be able to accept all user auth requests presented to the radius server which would in effect give them what they want.
That's really impossible in most EAP methods.
I know that with eap\mschapv2 (we dont support lesser protocols) you cannot have auto accept all requests due to mutual auth required.
Yes.
My thought was to create a default user in freeradius and then update user-name and user-password to the deafult user. So joe tries to authenticate and unlang rewrites joe to default user. And rewrites joes password to default user password. Auth succeeds.
That doesn't work. The mutual authentication is mutual between the end user system (i.e. Joe), and FreeRADIUS. You can re-write things in FreeRADIUS however you want, and it won't matter. The end user system will reject the response from FreeRADIUS.
That's what *mutual* auth means. *Both* ends have to agree. You can't just mangle one end and expect it to work.
Ive researched the forums and i think i need to do this on the outer tunnel as well as the inner tunnel? I cant find anything that is clear on that.
If someone could point me in the right direction and let me know if i am on the right track?
It's impossible.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi So use auth to be disabled and only device auth? How many the device auth happening? If via EAP-TLS etc this is possible. If via just MAC but started with eap no unless via policy where you still need the EAP to pass.... alan On Wed, 13 Jun 2018, 23:59 Seth Lampman, <sethklampman@gmail.com> wrote:
I am trying to figure out if what i want to do is possible. I work for a VPN vendor. We support device auth as well as user auth. User auth is always required no matter what. I have a customer that wants device auth only using eap-tls. No issues this works fine. They want to disable user auth and user only device certificate auth which we do not support. I want to bascially be able to accept all user auth requests presented to the radius server which would in effect give them what they want.
I know that with eap\mschapv2 (we dont support lesser protocols) you cannot have auto accept all requests due to mutual auth required. My thought was to create a default user in freeradius and then update user-name and user-password to the deafult user. So joe tries to authenticate and unlang rewrites joe to default user. And rewrites joes password to default user password. Auth succeeds.
Ive researched the forums and i think i need to do this on the outer tunnel as well as the inner tunnel? I cant find anything that is clear on that.
If someone could point me in the right direction and let me know if i am on the right track?
Thanks
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So in our product device auth is happening seperately from user auth. Eap-tls is configured and working fine. We do support eap-tls for user auth and that wont work because the users personal cert store isnt available until after they log into their profile. No profile , no access to cert. On Wed, Jun 13, 2018, 6:21 PM Alan Buxey <alan.buxey@gmail.com> wrote: > Hi > > So use auth to be disabled and only device auth? How many the device auth > happening? If via EAP-TLS etc this is possible. If via just MAC but started > with eap no unless via policy where you still need the EAP to pass.... > > alan > > On Wed, 13 Jun 2018, 23:59 Seth Lampman, <sethklampman@gmail.com> wrote: > > > I am trying to figure out if what i want to do is possible. I work for a > > VPN vendor. We support device auth as well as user auth. User auth is > > always required no matter what. I have a customer that wants device auth > > only using eap-tls. No issues this works fine. They want to disable > user > > auth and user only device certificate auth which we do not support. I > want > > to bascially be able to accept all user auth requests presented to the > > radius server which would in effect give them what they want. > > > > I know that with eap\mschapv2 (we dont support lesser protocols) you > cannot > > have auto accept all requests due to mutual auth required. My thought > was > > to create a default user in freeradius and then update user-name and > > user-password to the deafult user. So joe tries to authenticate and > unlang > > rewrites joe to default user. And rewrites joes password to default user > > password. Auth succeeds. > > > > Ive researched the forums and i think i need to do this on the outer > tunnel > > as well as the inner tunnel? I cant find anything that is clear on that. > > > > If someone could point me in the right direction and let me know if i am > on > > the right track? > > > > Thanks > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
Alan DeKok -
Seth Lampman