Accept all users?

Wed Mar 4 18:31:05 CET 2015

(Sorry for the late response. I was tinkering with other aspects of the
network and have just re-started with the FR integration.)

> > I'm trying to secure my wireless networks with RADIUS, so that any
> > combination of username/password will let the user in.
> 
>   That isn’t very secure.

Oh, I'm targeting for transport encryption, the net should be open for
everyone. I just don't want unencrypted Wifi packages flying over the
air and make it easy for blackhats to read these... I thought a
WPA2/Enterprise encrypted Wifi connection backed by an FR server using
proper certificates would be a good idea, wouldn't it?

> > So far I tried to add this line to my `users` file:
> > 
> >    DEFAULT Auth-Type := Accept
> 
>   That won’t work.
> 
> > With radtest I could get a positive feedback, but when I wire up the
> > RADIUS server with my wireless AP and try to connect (via
> > EAP-TTLS/MSCHAPv2), no connection is established.
> 
>   Exactly.
> 
>   MS-CHAPv2 *requires* that the server know the users correct password.

Yeah, I thought so, too. Looks like I need a predefined set of valid
credentials for my Windows clients... I need to communicate some
information anyway, I think I can include some username/passwords as
well.

>   You need to do two things:
> 
> 1) configure the clients to use TTLS/PAP instead of MS-CHAP
> 
> 2) update the “users” file entry to say:
> 
> DEFAULT   FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept
> 
>   Then TTLS/PAP should work.  Nothing else will work, though.

Is there anything else I need to configure? Using those two settings
gives me this:

> # radtest -t pap foobar snafu localhost 10 testing123
> Sending Access-Request of id 222 to 127.0.0.1 port 1812
> 	User-Name = "foobar"
> 	User-Password = "snafu"
> 	NAS-IP-Address = 127.0.1.1
> 	NAS-Port = 10
> 	Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=20

And in the server log:

> rad_recv: Access-Request packet from host 127.0.0.1 port 45876, id=0, length=120
> 	User-Name = "foobar"
> 	NAS-IP-Address = 127.0.0.1
> 	Calling-Station-Id = "02-00-00-00-00-01"
> 	Framed-MTU = 1400
> 	NAS-Port-Type = Wireless-802.11
> 	Connect-Info = "CONNECT 11Mbps 802.11b"
> 	EAP-Message = 0x0200000b01666f6f626172
> 	Message-Authenticator = 0xb3ca17f074559f077c154b1f72006a21
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> [eap] EAP packet type response id 0 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[logintime] = noop
> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
> ++[pap] = noop
> ++update control {
> ++} # update control = noop
> +} # group authorize = updated
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
> # Executing section post-auth from file /etc/freeradius/sites-enabled/default
> +group post-auth {
> ++[exec] = noop
> +} # group post-auth = noop
> Sending Access-Accept of id 0 to 127.0.0.1 port 45876

Although an Access-Accept is transmitted, the warning "no 'known good'
password found for the user" makes me worry, I didn't understand a
central part of FR...

When I try to connect a Wifi client to a NAS speaking to the server
running above, I'll get the same output (an no connection). I think
tomorrow I will start to fiddle with wpa_supplicant's eapol_test.

	Thanks so far,
	Dominik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150304/1ffa80d5/attachment.sig>