Change PEAP user-name and user-password

Seth Lampman sethklampman at gmail.com
Thu Jun 14 00:15:19 CEST 2018 

Crap. I was hoping there would be a way to get FR to accept anything i
threw at it.

Thanks for your help

On Wed, Jun 13, 2018, 6:03 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Jun 13, 2018, at 5:59 PM, Seth Lampman <sethklampman at gmail.com> wrote:
> >
> > I am trying to figure out if what i want to do is possible.  I work for a
> > VPN vendor. We support device auth as well as user auth. User auth is
> > always required no matter what.  I have a customer that wants device auth
> > only using eap-tls.  No issues this works fine.  They want to disable
> user
> > auth and user only device certificate auth which we do not support.
>
>   Adding certificate authentication shouldn't be that hard...
>
> >  I want
> > to bascially be able to accept all user auth requests presented to the
> > radius server which would in effect give them what they want.
>
>   That's really impossible in most EAP methods.
>
> > I know that with eap\mschapv2 (we dont support lesser protocols) you
> cannot
> > have auto accept all requests due to mutual auth required.
>
>   Yes.
>
> >  My thought was
> > to create a default user in freeradius and then update user-name and
> > user-password to the deafult user.  So joe tries to authenticate and
> unlang
> > rewrites joe to default user. And rewrites joes password to default user
> > password. Auth succeeds.
>
>   That doesn't work.  The mutual authentication is mutual between the end
> user system (i.e. Joe), and FreeRADIUS.  You can re-write things in
> FreeRADIUS however you want, and it won't matter.  The end user system will
> reject the response from FreeRADIUS.
>
>  That's what *mutual* auth means.  *Both* ends have to agree.  You can't
> just mangle one end and expect it to work.
>
> > Ive researched the forums and i think i need to do this on the outer
> tunnel
> > as well as the inner tunnel? I cant find anything that is clear on that.
> >
> > If someone could point me in the right direction and let me know if i am
> on
> > the right track?
>
>   It's impossible.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list