Integration with CISCO Router for PEAP requests

Arran Cudbard-Bell a.cudbardb at
Thu Aug 30 11:32:00 CEST 2012

On 30 Aug 2012, at 09:40, Andras Ionut <ionut.andras at> wrote:

> How can I configure FreeRADIUS to work with a CISCO Router and a
> captive portal in the following case...
> 1. User tries to access WiFi network with good user and wrong password
> 2. FreeRADIUS should send Access-Accept with Filter-Id set to portal
> redirect policy and not Access-Reject
> 3. User is presented login page, bla, bla, bla
> My problem is that i have to send an Access-Accept on failed login for
> PEAP (For TTLS I've managed to do it from config, but this is another
> story)

You can't fake an Accept that the PEAP supplicant will accept because MSCHAPv2 requires that you actually provide the correct credentials. You can send an Access-Accept back to the access point, and even force an EAP-Success but the supplicant will probably refuse to connect because it only cares about the success notification from the MSCHAPv2 inner.

Your only option is to run a separate open ssid with something like macauth.

TTLS works because you're using a PAP inner method, and IIRC the keying material for WPA2 is derived from the SSL tunnel which can be estsblished without knowledge of the users password. If you tried TTLS-MSCHAPv2 it would fail.


More information about the Freeradius-Users mailing list