Accept all users?

David Peterson davidp at wirelessconnections.net
Tue Feb 24 19:00:36 CET 2015


Add this under the authorization section, for TTLS we use the inner-tunnel.   This works for all of our WiMax clients who never bothered to write down usernames and passwords.  

update control {
        Auth-Type := Accept
        }
update outer.reply {

        Framed-Filter-Id := Test
        }


Change the Framed-Filter-Id with any attributes you want to send back to the NAS, say for provisioning.

David

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+davidp=wirelessconnections.net at lists.freeradius.org] On Behalf Of Dominik Menke
Sent: Tuesday, February 24, 2015 12:09 PM
To: freeradius-users at lists.freeradius.org
Subject: Accept all users?

Hello list,

I'm trying to secure my wireless networks with RADIUS, so that any combination of username/password will let the user in.

So far I tried to add this line to my `users` file:

    DEFAULT Auth-Type := Accept

With radtest I could get a positive feedback, but when I wire up the RADIUS server with my wireless AP and try to connect (via EAP-TTLS/MSCHAPv2), no connection is established. This happens on both a TP-Link router with OpenWRT and an Ubiquity UniFy AP as access point.

Here's the debug output of freeradius (excerpt, the full log is
attached):

> rad_recv: Access-Request packet from host 192.168.8.1 port 60199, id=16, length=190
>   User-Name = "foousername"
>   Called-Station-Id = "C2-4A-00-6C-F1-53:use.any.password"
>   NAS-Port-Type = Wireless-802.11
>   NAS-Port = 1
>   Calling-Station-Id = "E8-DE-27-1D-04-02"
>   Connect-Info = "CONNECT 54Mbps 802.11g"
>   Acct-Session-Id = "54EC901D-00000008"
>   Framed-MTU = 1400
>   EAP-Message = 0x029f001001666f6f757365726e616d65
>   Message-Authenticator = 0xd8aca58525e34524e692e7a0d3f6eab9
> # Executing section authorize from file 
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> [eap] EAP packet type response id 159 length 16 [eap] No EAP Start, 
> assuming it's an on-going EAP conversation
> ++[eap] = updated
> [files] users: Matched entry DEFAULT at line 1
> ++[files] = ok
> ++[logintime] = noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user # Executing section post-auth 
> from file /etc/freeradius/sites-enabled/default
> +group post-auth {
> ++[exec] = noop
> +} # group post-auth = noop
> Sending Access-Accept of id 16 to 192.168.8.1 port 60199 Finished 
> request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 16 with timestamp +5

The "sites-enabled/default" config is pretty much untouched from installation.

For me it seems like a successful user authorization? When running tcpdump on the access point, I only see the outgoing EAP package.

I'm a bit clueless now...

Greetings,
Dominik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list