Authorize all/any users for a PEAP, WPA2 enterprise setup
Toby
chinesevases at gmail.com
Thu Oct 27 01:51:25 CEST 2011
Hi all,
I apologize in advance if this question has been answered previously
but I have searched extensively and cannot find discussion of this
particular topic.
What I am wanting to setup, at least initially, is a WPA2 enterprise
(802.11i) wireless access point that will authorize ANY user (accept
all credentials/username-password combinations) and thereby provide
encrypted wireless access as well as confirmation of the access
point's identity, but not restrict which users can connect.
I have the system/network/freeradius server running and authentication
works if a specific username and password is supplied (eg. 'testuser
Cleartext-Password := "testpass"' in users file will allow username
'testuser' with password 'testpass' to connect) or with any username
and a specific password (eg. 'DEFAULT Cleartext-Password := "testpass"
in the users file will allow any username that provides the password
'testpass' to connect). However, I have tried various options and
cannot find a way to achieve my goal of any username with any password
being accepted.
I have not yet attempted to setup a database and modify SQL queries to
always return true or perform the equivalent with shell scripts as it
seems that a simple, single line in the users file should be able to
do the job. (With only a little research done it appears that both
the SQL and shell script options would be possible [would they?] but
both seem unnecessarily complex for this)
Some options I have tried in the users file are:
DEFAULT Cleartext-Password := "testpass" # works for any username
and the password "testpass"
DEFAULT User-Password := "testpass" # as above (and as expected)
works for any username with the password "testpass"
DEFAULT Cleartext-Password =* "testpass" # doesn't work, trying to
accept any password; from the users man page "Attribute =* Value As a
check item, it matches if the request contains the named attribute, no
matter what the value is." ==> request doesn't contain the named
attribute 'Cleartext-Password'?!
DEFAULT Cleartext-Password !~ /1mp0ss1ble/ # doesn't work - in the
hope of accepting if password provided is NOT "1mp0ss1ble"; "Attribute
!~ Expression As a check item, it matches if the request contains an
attribute which does not match the given regular expression."
DEFAULT Cleartext-Password =~ /.*/ # doesn't work - in the hope of
accepting any user if any password is provided; "Attribute =~
Expression As a check item, it matches if the request contains an
attribute which matches the given regular expression."
DEFAULT Cleartext-Password > "" # doesn't work - in the hope that
ANY password would be > ""; "Attribute > Value As a check item, it
matches if the request contains an attribute with a value greater than
the one given."
For what it's worth the users manpage to which I refer is
http://freeradius.org/radiusd/man/users.html#lbAE.
I have also tried "DEFAULT Auth-Type := Accept" [despite having read
in advance that this shouldn't work - indeed it doesn't/didn't!]
This problem is (apparently) not related to certificates or Windows XP
not working (as appears to be the most commonly encountered problem
around this topic - I am not using Windows). The setup DOES work with
any username as long as a password is explicitly specified in the
users file.
Some keywords to aid others who might search for the same topic in
future: wildcard password, regex password, regular expression
And yes I am new to and inexperienced with RADIUS so please be gentle.
And yes I expect I am missing something very simple - a config
setting somewhere?
I hope this is as trivial a problem as I expect it to be and someone
out there will smile at my naivety and know the solution I'm looking
for.
Thanks in advance.
Toby.
More information about the Freeradius-Users
mailing list