Integration with CISCO Router for PEAP requests

Phil Mayers p.mayers at imperial.ac.uk
Fri Aug 31 11:26:57 CEST 2012


On 08/30/2012 05:52 PM, Andras Ionut wrote:

>
> Now, I especially need to send Access-Accept for PEAP with inner
> EAP-MSCHAPv2, and I also I don't use MyQL to select the users.
> I've also tried to set Access-Accept as any other AVP from my Freeradius
> module, but doesn't work. (extract from log attached)

You keep repeating this. It is obvious you are really desparate. But it 
doesn't work like that.

You *CAN* force the server to send the Accept - Arran has shown you how 
to do that. The FAQ entry is another way to force it for *every* user.

The reason the FAQ entry says "this doesn't work for EAP" is NOTHING to 
do with the server. With enough knowledge, you can make the server do 
anything you want.

The problem is the EAP client. It WILL NOT STAY CONNECTED to the network.

Think about it for a second: from the debug you show, you are dealing 
with Wi-Fi. If you force auth success, the radius server will return an 
accept, and the wi-fi point will forward the EAP Success to the client. 
But the client will not have completed a successful authentication, so 
it won't have any keying material. How is it going to send encrypted 
packets?

Try it and see; do what the FAQ entry says, or what Arran has suggested, 
and watch what the client does when you try to override failed auth.


More information about the Freeradius-Users mailing list