Support for blank password in EAP/PEAP

[Alan DeKok]

On Jun 8, 2022, at 12:53 PM, sachin shetty <sachinshetty.r1 at gmail.com> wrote:
> 
> I'm using freeradius for VPN and WIFI clients implementing a passwordless
> solution where users are only required to enter the username, and I want to
> authenticate users using MFA.
> I achieved the same using the VPN client as it uses PAP, and it succeeded.
> Whereas wrt to Wifi client where it uses EAP/PEAP; I'm observing the
> communication ends at Access-Challenge sent from radius server. i.e., the
> wifi client doesn't acknowledge the Challenge and ends up with a Login
> error.

  I would suspect that most WiFi clients won't work with empty passwords.

  PEAP requires that both client and server have the same password.  They prove to each other other that they know the password.

  This works when the passwords exist.  It's not really clear what would happen if the passwords don't exist.

> I even tried to set NT:Password to empty String md5 value (
> 0x31D6CFE0D16AE931B73C59D7E0C089C0), still vain attempt. Since the password
> is not received in the auth request and Challenge doesn't have the same
> information, does the wifi client ends the communication as soon as it
> receives Challenge?

  It looks that way.

  You can't fix the Wifi client, and you can't change its behaving.

> NOTE: The server certificate was imported and trusted before trying this
> operation and still when a blank password is sent in the Radius auth
> request, the handshake between client and server stops when the last
> Challenge is sent from the radius server.
> 
> Is this a valid scenario with what I'm trying to wrt the EAP/PEAP protocol?

  It's interesting, but I don't think it will work.

  Try it with a real password first, to be sure that the certificates, etc. are all correct.  Then if the "no password" test fails, you know the failure is due to a missing password, and not to anything else.

  Alan DeKok.