Integration with CISCO Router for PEAP requests
Andras Ionut
ionut.andras at gmail.com
Thu Aug 30 12:12:43 CEST 2012
Thanks a lot for the quick answer Arran.
That is exactly wahat I need - sending an Access-Accept and maybe
EAP-Success if possible. I don't care if the device will not connect.
I only need Access-Accept in order for the CISCO router to assign an
IP to the client and redirect it to portal using L4_Redirect.
Can this be done? If yes, can you please be more explicit on how to do
this in freeradius?
Thanks in advance,
Andras
----------------------------------------------------------
On 30 Aug 2012, at 09:40, Andras Ionut <ionut.andras at gmail.com> wrote:
> How can I configure FreeRADIUS to work with a CISCO Router and a
> captive portal in the following case...
>
> 1. User tries to access WiFi network with good user and wrong password
> 2. FreeRADIUS should send Access-Accept with Filter-Id set to portal
> redirect policy and not Access-Reject
> 3. User is presented login page, bla, bla, bla
>
> My problem is that i have to send an Access-Accept on failed login for
> PEAP (For TTLS I've managed to do it from config, but this is another
> story)
You can't fake an Accept that the PEAP supplicant will accept because
MSCHAPv2 requires that you actually provide the correct credentials.
You can send an Access-Accept back to the access point, and even force
an EAP-Success but the supplicant will probably refuse to connect
because it only cares about the success notification from the MSCHAPv2
inner.
Your only option is to run a separate open ssid with something like macauth.
TTLS works because you're using a PAP inner method, and IIRC the
keying material for WPA2 is derived from the SSL tunnel which can be
estsblished without knowledge of the users password. If you tried
TTLS-MSCHAPv2 it would fail.
-Arran
More information about the Freeradius-Users
mailing list