Support for blank password in EAP/PEAP

sachin shetty sachinshetty.r1 at
Wed Jun 8 16:53:58 UTC 2022


I'm using freeradius for VPN and WIFI clients implementing a passwordless
solution where users are only required to enter the username, and I want to
authenticate users using MFA.
I achieved the same using the VPN client as it uses PAP, and it succeeded.
Whereas wrt to Wifi client where it uses EAP/PEAP; I'm observing the
communication ends at Access-Challenge sent from radius server. i.e., the
wifi client doesn't acknowledge the Challenge and ends up with a Login

I took the TCP dump and verified Access-Challenge attributes in working and
non-working scenarios, and I see the number of attributes sent is the same
(although not sure of the value)

I even tried to set NT:Password to empty String md5 value (
0x31D6CFE0D16AE931B73C59D7E0C089C0), still vain attempt. Since the password
is not received in the auth request and Challenge doesn't have the same
information, does the wifi client ends the communication as soon as it
receives Challenge?

NOTE: The server certificate was imported and trusted before trying this
operation and still when a blank password is sent in the Radius auth
request, the handshake between client and server stops when the last
Challenge is sent from the radius server.

Is this a valid scenario with what I'm trying to wrt the EAP/PEAP protocol?


More information about the Freeradius-Users mailing list