FreeRadius - MSCHAPv2 always authenticate user (WPA2-EAP)

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius - MSCHAPv2 always authenticate user (WPA2-EAP)

Ben Tyson
REPOST FROM STACK EXCHANGE.

Version of FreeRadius:Latest from Download
Operating System: ARM (raspberry PI) or Linux (can be switched, as needed)

I'm trying to create an open WPA2-EAP wireless network. Yes, I know
that's a contradiction in terms, but bear with me.

We need client separation, rather than authentication - so need the
WPA2-EAP facilities, without authentication users.

Windows 7 & 10 clients and DD-wrt as the wireless access point

**Note the windows clients do not have admin rights, so I can't
install client and CA certs on them**

It is possible to tell FreeRadius to accept all, by using DEFAULT
Auth-Type = Accept - however that just returns an authorised to the
access point - and doesn't return a MSCHAPv2-Successful, so the client
can connect to the network, but then doesn't get the correct response
to continue, so keeps on trying to authenticate.

Does anyone know if there is a way of forcing the MSCHAP module to
return authorised (e.g. a debugging mode) - or would it be reasonable
to strip the module, so that it always returns Successful.

Any other thoughts, gratefully received, but note: anything that
involves going hands on with the clients won't work.

Thank you, apologies for failure in etiquette along the way.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius - MSCHAPv2 always authenticate user (WPA2-EAP)

Alan DeKok-2
On Jan 30, 2019, at 10:53 AM, Ben Tyson <[hidden email]> wrote:
>
> REPOST FROM STACK EXCHANGE.

  IS THAT NECESSARY?

> Version of FreeRadius:Latest from Download
> Operating System: ARM (raspberry PI) or Linux (can be switched, as needed)
>
> I'm trying to create an open WPA2-EAP wireless network. Yes, I know
> that's a contradiction in terms, but bear with me.

  It's pretty much designed to be impossible.

> We need client separation, rather than authentication - so need the
> WPA2-EAP facilities, without authentication users.
>
> Windows 7 & 10 clients and DD-wrt as the wireless access point
>
> **Note the windows clients do not have admin rights, so I can't
> install client and CA certs on them**

  Then you can't do it.

> It is possible to tell FreeRadius to accept all, by using DEFAULT
> Auth-Type = Accept - however that just returns an authorised to the
> access point - and doesn't return a MSCHAPv2-Successful, so the client
> can connect to the network, but then doesn't get the correct response
> to continue, so keeps on trying to authenticate.

  Exactly.

> Does anyone know if there is a way of forcing the MSCHAP module to
> return authorised (e.g. a debugging mode) - or would it be reasonable
> to strip the module, so that it always returns Successful.

  That's not how it works.

  The Wifi clients encrypt each packet with a secret key.  That key is derived but the Wifi client && the RADIUS server from a successful authentication.  The RADIUS server sends the keys to the access point.

  Without a successful authentication, there is nothing to derived.  You can't just invent a key and send it to the AP.  The WiFi client will see that authentication hasn't succeeded, and will refuse to connect.

> Any other thoughts, gratefully received, but note: anything that
> involves going hands on with the clients won't work.

  What you want to do is impossible.  It was *designed* to be impossible to do.

  Your options are:

a) install something on the client (certs, WiFi config)

b) have an open WiFi network, and rely on a captive portal to control access

c) have no WiFi network

  That is all.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html