RADIUS & PEAP

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Jul 3 23:20:57 CEST 2007


If your using the Windows supplicant (which nearly everyone is, despite 
it's nastyness), and want passwordless authentication using EAP, your 
only other solution is to set up local PKI (public key infrastructure), 
and start issuing client certificates, and use EAP-PEAP-TLS (Microsofts 
version of EAP TLS).  

> What you're attempting to do is impossible because MS-CHAP is a mutual
> authentication protocol. If the RADIUS server does not demonstrate
> knowledge of the password to the supplicant, a well-behaved the
> supplicant *should* refuse the connection.
>
> (I also wouldn't be surprised if the RADIUS server barfs because it
> can't get a valid user-password in order to construct the authentication
> response but I can't comment authoritatively on this).
>
> Finally, you can't authenticate MS-CHAP against /etc/passwd or
> /etc/shadow; MS-CHAP requires access to the cleartext password or its
> NTLM hash.
>
> josh.
>
>   
>> -----Original Message-----
>> From: 
>> freeradius-users-bounces+josh.howlett=ja.net at lists.freeradius.
>> org 
>> [mailto:freeradius-users-bounces+josh.howlett=ja.net at lists.fre
>>     
> eradius.org] On Behalf Of Adrienne Rau
>   
>> Sent: 03 July 2007 19:30
>> To: freeradius-users at lists.freeradius.org
>> Subject: RADIUS & PEAP
>>
>> I am configuring a wireless network with EAP Authentication.  
>> I can connect successfully with the following line in my users file.
>>
>> testuser User-Password == "testing"
>>
>> I would like to be able to authenticate with ANY password.  I 
>> tried using the "!=" operand, but that causes an MS-CHAP 
>> incorrect response error.  Is there any way to make EAP 
>> authenticate with any password.  If not, how can I have it 
>> authenticate against the /etc/passwd and /etc/shadow files?
>>
>> Thank you for your help,
>> Adrienne Rau
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>     
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   




More information about the Freeradius-Users mailing list