Change PEAP user-name and user-password
Alan DeKok
aland at deployingradius.com
Thu Jun 14 00:03:21 CEST 2018
On Jun 13, 2018, at 5:59 PM, Seth Lampman <sethklampman at gmail.com> wrote:
>
> I am trying to figure out if what i want to do is possible. I work for a
> VPN vendor. We support device auth as well as user auth. User auth is
> always required no matter what. I have a customer that wants device auth
> only using eap-tls. No issues this works fine. They want to disable user
> auth and user only device certificate auth which we do not support.
Adding certificate authentication shouldn't be that hard...
> I want
> to bascially be able to accept all user auth requests presented to the
> radius server which would in effect give them what they want.
That's really impossible in most EAP methods.
> I know that with eap\mschapv2 (we dont support lesser protocols) you cannot
> have auto accept all requests due to mutual auth required.
Yes.
> My thought was
> to create a default user in freeradius and then update user-name and
> user-password to the deafult user. So joe tries to authenticate and unlang
> rewrites joe to default user. And rewrites joes password to default user
> password. Auth succeeds.
That doesn't work. The mutual authentication is mutual between the end user system (i.e. Joe), and FreeRADIUS. You can re-write things in FreeRADIUS however you want, and it won't matter. The end user system will reject the response from FreeRADIUS.
That's what *mutual* auth means. *Both* ends have to agree. You can't just mangle one end and expect it to work.
> Ive researched the forums and i think i need to do this on the outer tunnel
> as well as the inner tunnel? I cant find anything that is clear on that.
>
> If someone could point me in the right direction and let me know if i am on
> the right track?
It's impossible.
Alan DeKok.
More information about the Freeradius-Users
mailing list