Guest mode with different passprhases

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Guest mode with different passprhases

Hans-Christian Esperer
Hi all,

I'd like to achieve the following:

A wifi where both regular users and guests can log in. All users should use
PEAP to establish an encrypted connection. Normal users then use a combination
of username,passphrase, nothing unusual here.

Guests, however, shall be able to login with username "guest" and a PIN number
as passphrase. Several PIN numbers should be allowed, but each PIN number only
once, or for a certain amount of time after the first usage.

The idea is that each guest is assigned a PIN number to be used once, when they
need access, and upon first usage of that PIN it is deleted or marked as used
in a database and cannot be used a 2nd time. PINs should be randomly generated
as needed.

Is this at all possible? If so, how would one best implement it? Writing your
own Perl module? Is there something available in the default distro to achieve
this behavior?

Thanks in advance,
 HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Guest mode with different passprhases

Alan DeKok-2
On Jan 3, 2019, at 5:43 AM, Hans-Christian Esperer <[hidden email]> wrote:
> I'd like to achieve the following:
>
> A wifi where both regular users and guests can log in. All users should use
> PEAP to establish an encrypted connection. Normal users then use a combination
> of username,passphrase, nothing unusual here.
>
> Guests, however, shall be able to login with username "guest" and a PIN number
> as passphrase. Several PIN numbers should be allowed, but each PIN number only
> once, or for a certain amount of time after the first usage.

  The guest users will still need to enable the server certificate / CA in their 802.1X config.  So it's likely not as easy as "enter guest / pin".

> The idea is that each guest is assigned a PIN number to be used once, when they
> need access, and upon first usage of that PIN it is deleted or marked as used
> in a database and cannot be used a 2nd time. PINs should be randomly generated
> as needed.
>
> Is this at all possible? If so, how would one best implement it? Writing your
> own Perl module? Is there something available in the default distro to achieve
> this behavior?

  There is nothing in the default configuration to do this.  It's a very unusual request.  In large part because it's hard for guest users to configure 802.1X.

  Also, PEAP typically uses MS-CHAP, which means you don't know what PIN the guest user has entered.  Instead, you get a hash of the PIN.  Which means that the only way to know what PIN they used, is to loop through all PINs seeing if the hash matches.

  So no, this isn't really practical.  You're much better off using an open WiFi, and a captive portal with a web page for guest access.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Guest mode with different passprhases

Alan Buxey
In reply to this post by Hans-Christian Esperer
easier with TTLS-PAP - as you can work with the PIN in the clear on the
server.

alan

On Thu, 3 Jan 2019 at 10:43, Hans-Christian Esperer <[hidden email]>
wrote:

> Hi all,
>
> I'd like to achieve the following:
>
> A wifi where both regular users and guests can log in. All users should use
> PEAP to establish an encrypted connection. Normal users then use a
> combination
> of username,passphrase, nothing unusual here.
>
> Guests, however, shall be able to login with username "guest" and a PIN
> number
> as passphrase. Several PIN numbers should be allowed, but each PIN number
> only
> once, or for a certain amount of time after the first usage.
>
> The idea is that each guest is assigned a PIN number to be used once, when
> they
> need access, and upon first usage of that PIN it is deleted or marked as
> used
> in a database and cannot be used a 2nd time. PINs should be randomly
> generated
> as needed.
>
> Is this at all possible? If so, how would one best implement it? Writing
> your
> own Perl module? Is there something available in the default distro to
> achieve
> this behavior?
>
> Thanks in advance,
>  HC
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Guest mode with different passprhases

Hans-Christian Esperer
In reply to this post by Hans-Christian Esperer
Thanks all for the replies.

For now, I've solved it like this:

There are unique usernames in addition to passphrases, matching guest[0-9]+

A simple perl script handles post-auth and when a guest[0-9]+ user is first
encountered, the timestamp+MAX_CONNECT_TIME is stored. Later, the timestamp is
compared to the current timestamp and if that greater than the stored max time,
the user is rejected, otherwise accepted.

I'm thinking rather than to reject the user, to assign them to a different VLAN
where a capture domain exists informing the user that their guest login has
expired.

I'll attach the script in case anyone is interested. It's the first time I use
perl, so it's probably less than optimal.

Cheers,
 HC

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

checkguest.pl.txt (1K) Download Attachment