Accept all users?

Dominik Menke dom at digineo.de
Tue Feb 24 18:08:58 CET 2015 

Hello list,

I'm trying to secure my wireless networks with RADIUS, so that any
combination of username/password will let the user in.

So far I tried to add this line to my `users` file:

    DEFAULT Auth-Type := Accept

With radtest I could get a positive feedback, but when I wire up the
RADIUS server with my wireless AP and try to connect (via
EAP-TTLS/MSCHAPv2), no connection is established. This happens on
both a TP-Link router with OpenWRT and an Ubiquity UniFy AP as access
point.

Here's the debug output of freeradius (excerpt, the full log is
attached):

> rad_recv: Access-Request packet from host 192.168.8.1 port 60199, id=16, length=190
>   User-Name = "foousername"
>   Called-Station-Id = "C2-4A-00-6C-F1-53:use.any.password"
>   NAS-Port-Type = Wireless-802.11
>   NAS-Port = 1
>   Calling-Station-Id = "E8-DE-27-1D-04-02"
>   Connect-Info = "CONNECT 54Mbps 802.11g"
>   Acct-Session-Id = "54EC901D-00000008"
>   Framed-MTU = 1400
>   EAP-Message = 0x029f001001666f6f757365726e616d65
>   Message-Authenticator = 0xd8aca58525e34524e692e7a0d3f6eab9
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> [eap] EAP packet type response id 159 length 16
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> [files] users: Matched entry DEFAULT at line 1
> ++[files] = ok
> ++[logintime] = noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
> # Executing section post-auth from file /etc/freeradius/sites-enabled/default
> +group post-auth {
> ++[exec] = noop
> +} # group post-auth = noop
> Sending Access-Accept of id 16 to 192.168.8.1 port 60199
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 16 with timestamp +5

The "sites-enabled/default" config is pretty much untouched from
installation.

For me it seems like a successful user authorization? When running
tcpdump on the access point, I only see the outgoing EAP package.

I'm a bit clueless now...

Greetings,
Dominik

More information about the Freeradius-Users mailing list