FreeRadius - MSCHAPv2 always authenticate user (WPA2-EAP)

Alan DeKok aland at deployingradius.com
Wed Jan 30 16:58:27 CET 2019 

On Jan 30, 2019, at 10:53 AM, Ben Tyson <btysonnorrman at gmail.com> wrote:
> 
> REPOST FROM STACK EXCHANGE.

  IS THAT NECESSARY?

> Version of FreeRadius:Latest from Download
> Operating System: ARM (raspberry PI) or Linux (can be switched, as needed)
> 
> I'm trying to create an open WPA2-EAP wireless network. Yes, I know
> that's a contradiction in terms, but bear with me.

  It's pretty much designed to be impossible.

> We need client separation, rather than authentication - so need the
> WPA2-EAP facilities, without authentication users.
> 
> Windows 7 & 10 clients and DD-wrt as the wireless access point
> 
> **Note the windows clients do not have admin rights, so I can't
> install client and CA certs on them**

  Then you can't do it.

> It is possible to tell FreeRadius to accept all, by using DEFAULT
> Auth-Type = Accept - however that just returns an authorised to the
> access point - and doesn't return a MSCHAPv2-Successful, so the client
> can connect to the network, but then doesn't get the correct response
> to continue, so keeps on trying to authenticate.

  Exactly.

> Does anyone know if there is a way of forcing the MSCHAP module to
> return authorised (e.g. a debugging mode) - or would it be reasonable
> to strip the module, so that it always returns Successful.

  That's not how it works.

  The Wifi clients encrypt each packet with a secret key.  That key is derived but the Wifi client && the RADIUS server from a successful authentication.  The RADIUS server sends the keys to the access point.

  Without a successful authentication, there is nothing to derived.  You can't just invent a key and send it to the AP.  The WiFi client will see that authentication hasn't succeeded, and will refuse to connect.

> Any other thoughts, gratefully received, but note: anything that
> involves going hands on with the clients won't work.

  What you want to do is impossible.  It was *designed* to be impossible to do.

  Your options are:

a) install something on the client (certs, WiFi config)

b) have an open WiFi network, and rely on a captive portal to control access

c) have no WiFi network

  That is all.

  Alan DeKok.

More information about the Freeradius-Users mailing list