Freeradius like WPA2-PSK

Brian Julin BJulin at clarku.edu
Wed Nov 28 20:54:30 CET 2012



> Paulo wrote:

> Is there any way that freeradius act as WPA-PSK??
> What i am trying to deploy is a wi-fi network with only one password
> that is changed every week.
> Right now I have a open wireless signal distributed over 20 wi-fi
> routers. This signal is used by all the clients of the hotel, so there
> is no way to distribute certificate to the clients.

WPA2-Enterprise with PEAP authentication is automatically recognized
by most new clients these days.  The clients will prompt for a username
and a password.  If you generate an ntcrypt (by shelling out of FR to
a utility to do so) for an inbound username/password on the RADIUS side
from a known cleartext password on the fly, you can arrange things such
that that password is accepted for any username.  No certificate is
required on the client side.  The server will need a certificate signed
by an authority that is already trusted by the clients ($$$).

You can also abuse MS domain notation to select from a set
of passwords for different groups, but that will require the users
to correctly type a backslash, which can be asking a bit much for
certain types of users.

So yes, but there is no way to get rid of the username box in the
login prompt, you just need to tell the users (when you give them
the password) to enter something in the username box.  Also
without provisioning and distributing a client-side-verification
profile, your users may be hijacked by an AP pretending to be
one of yours, as long as it knows the password and has any valid cert;
but this is the case with WPA2-PSK as well (worse, in fact, without
the server-side certificate.)



More information about the Freeradius-Users mailing list