Authorize all/any users for a PEAP, WPA2 enterprise setup
Hi all, I apologize in advance if this question has been answered previously but I have searched extensively and cannot find discussion of this particular topic. What I am wanting to setup, at least initially, is a WPA2 enterprise (802.11i) wireless access point that will authorize ANY user (accept all credentials/username-password combinations) and thereby provide encrypted wireless access as well as confirmation of the access point's identity, but not restrict which users can connect. I have the system/network/freeradius server running and authentication works if a specific username and password is supplied (eg. 'testuser Cleartext-Password := "testpass"' in users file will allow username 'testuser' with password 'testpass' to connect) or with any username and a specific password (eg. 'DEFAULT Cleartext-Password := "testpass" in the users file will allow any username that provides the password 'testpass' to connect). However, I have tried various options and cannot find a way to achieve my goal of any username with any password being accepted. I have not yet attempted to setup a database and modify SQL queries to always return true or perform the equivalent with shell scripts as it seems that a simple, single line in the users file should be able to do the job. (With only a little research done it appears that both the SQL and shell script options would be possible [would they?] but both seem unnecessarily complex for this) Some options I have tried in the users file are: DEFAULT Cleartext-Password := "testpass" # works for any username and the password "testpass" DEFAULT User-Password := "testpass" # as above (and as expected) works for any username with the password "testpass" DEFAULT Cleartext-Password =* "testpass" # doesn't work, trying to accept any password; from the users man page "Attribute =* Value As a check item, it matches if the request contains the named attribute, no matter what the value is." ==> request doesn't contain the named attribute 'Cleartext-Password'?! DEFAULT Cleartext-Password !~ /1mp0ss1ble/ # doesn't work - in the hope of accepting if password provided is NOT "1mp0ss1ble"; "Attribute !~ Expression As a check item, it matches if the request contains an attribute which does not match the given regular expression." DEFAULT Cleartext-Password =~ /.*/ # doesn't work - in the hope of accepting any user if any password is provided; "Attribute =~ Expression As a check item, it matches if the request contains an attribute which matches the given regular expression." DEFAULT Cleartext-Password > "" # doesn't work - in the hope that ANY password would be > ""; "Attribute > Value As a check item, it matches if the request contains an attribute with a value greater than the one given." For what it's worth the users manpage to which I refer is http://freeradius.org/radiusd/man/users.html#lbAE. I have also tried "DEFAULT Auth-Type := Accept" [despite having read in advance that this shouldn't work - indeed it doesn't/didn't!] This problem is (apparently) not related to certificates or Windows XP not working (as appears to be the most commonly encountered problem around this topic - I am not using Windows). The setup DOES work with any username as long as a password is explicitly specified in the users file. Some keywords to aid others who might search for the same topic in future: wildcard password, regex password, regular expression And yes I am new to and inexperienced with RADIUS so please be gentle. And yes I expect I am missing something very simple - a config setting somewhere? I hope this is as trivial a problem as I expect it to be and someone out there will smile at my naivety and know the solution I'm looking for. Thanks in advance. Toby.
On 27/10/2011 00:51, Toby wrote:
Hi all,
I apologize in advance if this question has been answered previously but I have searched extensively and cannot find discussion of this particular topic.
What I am wanting to setup, at least initially, is a WPA2 enterprise (802.11i) wireless access point that will authorize ANY user (accept all credentials/username-password combinations) and thereby provide encrypted wireless access as well as confirmation of the access point's identity, but not restrict which users can connect.
Your body doesn't mention PEAP, but your subject does. If you have to use PEAP i.e. MS-CHAPv2 inner, it's not possible: http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless... You could perhaps do it with TTLS/PAP. -James
participants (2)
-
James J J Hooper -
Toby