Guest mode with different passprhases

Alan DeKok aland at deployingradius.com
Thu Jan 3 15:27:41 CET 2019


On Jan 3, 2019, at 5:43 AM, Hans-Christian Esperer <hc at hcesperer.org> wrote:
> I'd like to achieve the following:
> 
> A wifi where both regular users and guests can log in. All users should use
> PEAP to establish an encrypted connection. Normal users then use a combination
> of username,passphrase, nothing unusual here.
> 
> Guests, however, shall be able to login with username "guest" and a PIN number
> as passphrase. Several PIN numbers should be allowed, but each PIN number only
> once, or for a certain amount of time after the first usage.

  The guest users will still need to enable the server certificate / CA in their 802.1X config.  So it's likely not as easy as "enter guest / pin".

> The idea is that each guest is assigned a PIN number to be used once, when they
> need access, and upon first usage of that PIN it is deleted or marked as used
> in a database and cannot be used a 2nd time. PINs should be randomly generated
> as needed.
> 
> Is this at all possible? If so, how would one best implement it? Writing your
> own Perl module? Is there something available in the default distro to achieve
> this behavior?

  There is nothing in the default configuration to do this.  It's a very unusual request.  In large part because it's hard for guest users to configure 802.1X.

  Also, PEAP typically uses MS-CHAP, which means you don't know what PIN the guest user has entered.  Instead, you get a hash of the PIN.  Which means that the only way to know what PIN they used, is to loop through all PINs seeing if the hash matches.

  So no, this isn't really practical.  You're much better off using an open WiFi, and a captive portal with a web page for guest access.

  Alan DeKok.




More information about the Freeradius-Users mailing list