freeradius using linux user passwd

Julian Macassey julian at tele.com
Tue Jul 9 19:58:15 CEST 2013


On 2013-07-09 at 10:18, Matthew Newton (mcn4 at leicester.ac.uk) wrote:

> Julian,
> 
> On Mon, Jul 08, 2013 at 03:10:31PM -0700, Julian Macassey wrote:
> > 	I'm just trying to do a bog standard username and
> > password for OS X and Linux users on laptops - Plus the
> > ubiquitous smartphones of course. I have no Microsoft gear on the
> > LAN.
> 
> Try adding the following to the *top* of your users file:
> 
> evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0

When I use the users file, it works. In fact, every possible auth
protocol works:

	The line you have above does work. But, that's when I
have the user in the users file. When I comment it out so I can
use the /etc/password file - Nothing

radtest evergreen Y0V2T2VAKI 127.0.0.1:18120 0 d1sc0verplum

Which tests the inner tunnel works using:

radtest -t mschap evergreen Y0V2T2VAKI 127.0.0.1:18120 0
d1sc0verplum

	And every -t option (-t pap/chap/mschap/eap-md5) works.

	It also works with every port 1812 too:

radtest -t mschap evergreen Y0V2T2VAKI 127.0.0.1 0 d1sc0verplum

	And, here's the proof, with the line:
evergreen Cleartext-Password := "Y0V2T2VAKI"

in users  I can connect to the WiFi router with a Macbook and an
iPhone.

	
> ...
> 
> your client is set to do PEAP/EAP-MSCHAPv2 - which is what most
> things (including Windows) will do by default. It can't auth
> against /etc/passwd, but it can if it knows the cleartext password
> as shown above.

	But, it needs to auth against /etc/password rather than
put every damn user into /etc/freeradius/users. Then if I give
someone a username and password on my server, freeradius will let
them use the WiFi too with no hassles.


> This is the EAP-MSCHAPv2 bit (inside the PEAP inner tunnel)
> telling you it's got no cleartext password or NTLM hash, so it
> can't authenticate the user.
> 
> Given a cleartext password as above, you should be good to go.

	Yup, works like a charm with the username password in
users. That would be ideal at home, where it is just my wife and
I and maybe a "guest" login for friends and relations.

	I will persevere. I have seen that in the 1.* release
there was an "Auth-Type System", which was for system username
password. 

Thanks for the help. 


More information about the Freeradius-Users mailing list