Hi All, I think I already know the answer but I'll ask it just the same. I've been asked to research the possibility to link radius to an external login server.(out of my control) The external server needs a username and cleartext password via a php script and will only reply 'ok' or 'fail'. It will not send back a password or anything. The devices we need to authenticate are numerous. From ipads, iphones, windows phones & android to all iterations of windows (7 and onwards), OSX & linux computers. Most if not all of them are students user devices which cannot be pre-configured. So it needs to work "out of the box". Now I can get this to work easily if I authenticate against a local LDAP server which has NTLM and local user passwd accounts. All of these devices can do EAP-TTLS-Mschapv2 or EAP-PEAP-Mschapv2 but not all of them do TTLS-PAP (Windows & Windows phone etc...) It is not possible with this setup to always get a cleartext password, or is it ? In your valued opinion : Can it be done or should I spend my time on advising and creating a custom capture portal for the network ? Kind regards, Arjan Sinnige
No. You got the main point near the end. ..your remote server is expecting username and password but unless your clients are using a form of authentication that supplies a password eg TTLS/PAP , you won't be able to do it. PEAP is mschapv2 - a challenge/response method alan
On 13 Dec 2015, at 18:18, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
No. You got the main point near the end. ..your remote server is expecting username and password but unless your clients are using a form of authentication that supplies a password eg TTLS/PAP , you won't be able to do it. PEAP is mschapv2 - a challenge/response method
It's ok Alan, he's gone now... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Alan & Alan Wrote :-) - No. You got the main point near the end. ..your remote server is expecting username and password but unless your clients are using a form of - authentication that supplies a password eg TTLS/PAP , you won't be able to do it. PEAP is mschapv2 - a challenge/response method - It's impossible in general. Ok, thanks for the reply. That was what I thought, just wanted some reassurance. Why did I get unsubscribed ? Did my last mail go out in HTML ? Excuses if it did. Arjan Sinnige
On Dec 13, 2015, at 5:59 PM, Arjan Sinnige <a.sinnige@sae.edu> wrote:
I've been asked to research the possibility to link radius to an external login server.(out of my control)
OK.
The external server needs a username and cleartext password via a php script and will only reply 'ok' or 'fail'. It will not send back a password or anything.
How does it send a PHP script?
The devices we need to authenticate are numerous. From ipads, iphones, windows phones & android to all iterations of windows (7 and onwards), OSX & linux computers. Most if not all of them are students user devices which cannot be pre-configured. So it needs to work "out of the box".
Good luck...
Now I can get this to work easily if I authenticate against a local LDAP server which has NTLM and local user passwd accounts. All of these devices can do EAP-TTLS-Mschapv2 or EAP-PEAP-Mschapv2 but not all of them do TTLS-PAP (Windows & Windows phone etc...)
Exactly.
It is not possible with this setup to always get a cleartext password, or is it ?
It's not always possible to get a cleartext password.
In your valued opinion : Can it be done or should I spend my time on advising and creating a custom capture portal for the network ?
It's impossible in general. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
participants (4)
-
Alan Buxey -
Alan DeKok -
Arjan Sinnige -
Arran Cudbard-Bell