Is it possible to specify which authorization mode is being used?

Alan DeKok aland at deployingradius.com
Wed Aug 5 14:06:40 CEST 2020 

On Aug 5, 2020, at 4:48 AM, Kristian Faller <kristian.faller at remarkable.no> wrote:
> Is it possible to specify which authentication mode and tunnel type are
> being used?

  Yes and no.  The client is the one which chooses a particular EAP type.  But the server has to be configured to accept it.

> If yes, what files do I need to modify in order to do this? I
> have tried reading the documentation and looking through some of the config
> files, but as a complete beginner at this, I'm not sure if I'm even looking
> in the right places.

  mods-available/eap has full documentation.

  The default configuration is designed to work in as many situations as possible.  So generally it's just add a "known good" name/password to the config, and most EAP types will work.

  I have a full guide on my site:  http://deployingradius.com

> Background: I work with software testing for reMarkable (we create an E ink
> tablet based on Linux), and we want to conduct more specified testing on
> WPA Enterprise (802.1X over Wi-Fi). At the moment we have done testing on
> our network gear which consists of Ubiquiti Unifi which only implements
> eap_peap with MSCHAPv2. While this is probably used for many companies all
> over the world, we would like to test other kinds of authentication and
> tunnel types, thus I started setting up FreeRadius on a Raspberry Pi 4,
> running Ubuntu 19.10 for IoT devices.

  If you use wpa_supplicant, it will work everywhere, with everything.

> Our tablet runs a flavor of Linux, using wpa_supplicant and should (in
> theory) be able to connect to most kinds of network. However, we know that
> certificate-based networks won't work at the moment due to not having a way
> to import licenses. However, I do believe there are other types of networks
> not needing certificates, and these are the ones we'd like to test.

  EAP-TLS needs client certificates.  Other EAP types (PEAP, TTLS) still need to have a CA certificate configured on the client.

> I got FreeRadius up and running, but for every connection attempt, I can
> see from the output with "freeradius -X" that eap_peap and MSCHAPv2 are
> used. I want to be able to set specific (valid) values so that our company
> can implement and properly test the different variations of auth modes and
> tunnels.

  See my web site.  There are example configuration for eapol_test to test most EAP types.

  Alan DeKok.

More information about the Freeradius-Users mailing list