Fiddling with EAP types...
Marco Gaiarin
gaio at lilliput.linux.it
Wed Apr 10 10:05:23 UTC 2024
Situation: a freeradius server (debian stretch, 3.0.12+dfsg-5+deb9u1) binded
to a Samba AD domain (so using EAP, PEAP, MSCHAPv2).
I've some 'non human' clients that typically i connect via direct password
insertion in users and huntgroups, eg:
lp_hpcljm452-1 Cleartext-Password := "unknown;-)", MS-CHAP-Use-NTLM-Auth := 0, Expiration := "Dec 31 2030 19:00:00", Huntgroup-Name == "lp_hpcljm452-1"
lp_hpcljm452-1 Calling-Station-Id == "60-6D-C7-27-C1-C9"
But this client (an HP Color LaserJet M452nw) claim to have support for
PEAP, LEAP and EAP-TLS, not explicitly citing MSCHAPv2.
If i try to use PEAP i lead to:
Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! We requested to use an EAP type as normal.
Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! The supplicant rejected that, and requested to use the same EAP type.
Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! i.e. the supplicant said 'I don't like X, please use X instead.
Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! The supplicant software is broken and does not work properly.
Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! Please upgrade it to software that works.
Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) Login incorrect (eap: No mutually acceptable types found): [lp_hpcljm452-1] (from client unifi-sv port 0 cli 60-6D-C7-27-C1-C9)
There's some way i can force a 'compatible' EAP type for that user and only
that?
Thanks.
--
Ventiquattromilapensierialsecondofluisconoinarrestabili
alimentando voglie e necessita`. (CSI)
More information about the Freeradius-Users
mailing list