EAP-PEAP (mschapv2) & ssid restriction

Sergey Velikanov vgray at bk.ru
Tue Dec 20 11:17:19 CET 2005


Hi

I've implemented wi-fi access (EAP-PEAP with ms-chap v2), it works fine, now I want that users from one ssid
could not connect to another ssid, my AP can include this infrmation in Access-Request packet

rad_recv: Access-Request packet from host 192.168.232.3:1645, id=215, length=274
         User-Name = "user1"
         Framed-MTU = 1400
         Called-Station-Id = "0013.1a4b.ae50"
         Calling-Station-Id = "0002.2d37.249f"
         Cisco-AVPair = "ssid=is_client"

in my raddb/users I've changed

user1              User-Password == "123456"
to
user1           Cisco-AVPair =~ "ssid=is_client",       User-Password == "123456"

it works fine with EAP-TLS, but it fails with EAP-PEAP (it uses mschap),


   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 18
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/mschapv2
   rlm_eap: processing type mschapv2
   Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 18
   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
   rlm_mschap: Told to do MS-CHAPv2 for user1 with NT-Password
   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

It seems that rlm_mschap do not include Cisco-AVPair = "ssid=is_client" in its auth request

How can I solve this situation?




More information about the Freeradius-Users mailing list