Hi all,

I apologize in advance if this question has been answered previously
but I have searched extensively and cannot find discussion of this
particular topic.

What I am wanting to setup, at least initially, is a WPA2 enterprise
(802.11i) wireless access point that will authorize ANY user (accept
all credentials/username-password combinations) and thereby provide
encrypted wireless access as well as confirmation of the access
point's identity, but not restrict which users can connect.

I have the system/network/freeradius server running and authentication
works if a specific username and password is supplied (eg. 'testuser
Cleartext-Password := "testpass"' in users file will allow username
'testuser' with password 'testpass' to connect) or with any username
and a specific password (eg. 'DEFAULT Cleartext-Password := "testpass"
in the users file will allow any username that provides the password
'testpass' to connect).  However, I have tried various options and
cannot find a way to achieve my goal of any username with any password
being accepted.

I have not yet attempted to setup a database and modify SQL queries to
always return true or perform the equivalent with shell scripts as it
seems that a simple, single line in the users file should be able to
do the job.  (With only a little research done it appears that both
the SQL and shell script options would be possible [would they?] but
both seem unnecessarily complex for this)

Some options I have tried in the users file are:

DEFAULT   Cleartext-Password := "testpass" # works for any username
and the password "testpass"
DEFAULT   User-Password := "testpass"  # as above (and as expected)
works for any username with the password "testpass"

DEFAULT   Cleartext-Password =* "testpass" # doesn't work, trying to
accept any password; from the users man page "Attribute =* Value As a
check item, it matches if the request contains the named attribute, no
matter what the value is." ==> request doesn't contain the named
attribute 'Cleartext-Password'?!

DEFAULT   Cleartext-Password !~ /1mp0ss1ble/ # doesn't work - in the
hope of accepting if password provided is NOT "1mp0ss1ble"; "Attribute
!~ Expression As a check item, it matches if the request contains an
attribute which does not match the given regular expression."

DEFAULT   Cleartext-Password =~ /.*/ # doesn't work - in the hope of
accepting any user if any password is provided;  "Attribute =~
Expression As a check item, it matches if the request contains an
attribute which matches the given regular expression."

DEFAULT   Cleartext-Password > "" # doesn't work - in the hope that
ANY password would be > "";  "Attribute > Value As a check item, it
matches if the request contains an attribute with a value greater than
the one given."

For what it's worth the users manpage to which I refer is
http://freeradius.org/radiusd/man/users.html#lbAE.

I have also tried "DEFAULT Auth-Type := Accept" [despite having read
in advance that this shouldn't work - indeed it doesn't/didn't!]

This problem is (apparently) not related to certificates or Windows XP
not working (as appears to be the most commonly encountered problem
around this topic - I am not using Windows).  The setup DOES work with
any username as long as a password is explicitly specified in the
users file.

Some keywords to aid others who might search for the same topic in
future: wildcard password, regex password, regular expression

And yes I am new to and inexperienced with RADIUS so please be gentle.
 And yes I expect I am missing something very simple - a config
setting somewhere?

I hope this is as trivial a problem as I expect it to be and someone
out there will smile at my naivety and know the solution I'm looking
for.

Thanks in advance.

Toby.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to