Machine auth without cert - EAP-PEAP/MSCHAPV2
I've been experimenting with machine auth without using a cert, but I seem to be stuck on the fact that FreeRadius will not authenticate a local user. I see the request come across through debugging with a username of "host/mymachine.mydomain.com", and no password, and in my users file I have "host/mymachine.mydomain.com" Cleartext-Password="", Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0 Filter-ID = "WIRELESS-USER", Fall-Through = 0 but for some reason it never authenticates... I've tried every both without the MS-CHAP option, that doesn't seem to change it. Also tried User-Password instead of cleartext password, no change. Any suggestions? Ryan
Hi Ryan, What you're trying to do is impossible. MS-CHAPv2 is a mutual authentication protocol, meaning that FreeRADIUS needs to demonstrate knowledge of the password to the machine. josh.
-----Original Message----- From: freeradius-users-bounces+josh.howlett=ja.net@lists.freeradius. org [mailto:freeradius-users-bounces+josh.howlett=ja.net@lists.fre eradius.org] On Behalf Of Ryan Kramer Sent: 25 February 2008 21:05 To: jvieira@clarku.edu; FreeRadius users mailing list Subject: Machine auth without cert - EAP-PEAP/MSCHAPV2
I've been experimenting with machine auth without using a cert, but I seem to be stuck on the fact that FreeRadius will not authenticate a local user.
I see the request come across through debugging with a username of "host/mymachine.mydomain.com", and no password, and in my users file I have
"host/mymachine.mydomain.com" Cleartext-Password="", Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0 Filter-ID = "WIRELESS-USER", Fall-Through = 0
but for some reason it never authenticates... I've tried every both without the MS-CHAP option, that doesn't seem to change it. Also tried User-Password instead of cleartext password, no change. Any suggestions?
Ryan
JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
hi, you cant do this - the request must go through a full EAP validation cycle - otherwise the client will just barf. you dont 'need' certs if you want to be insecure on the client (but thats foolish) but you do need to take the incoming request and then do a challenge response against the PEAP/MSCAHPv2 - eg using ntlm_auth against an AD server (which works 100% fine for machine accounts) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Josh Howlett -
Ryan Kramer