On 30 Aug 2012, at 09:40, Andras Ionut <[email protected]> wrote:
> How can I configure FreeRADIUS to work with a CISCO Router and a > captive portal in the following case... > > 1. User tries to access WiFi network with good user and wrong password > 2. FreeRADIUS should send Access-Accept with Filter-Id set to portal > redirect policy and not Access-Reject > 3. User is presented login page, bla, bla, bla > > My problem is that i have to send an Access-Accept on failed login for > PEAP (For TTLS I've managed to do it from config, but this is another > story) You can't fake an Accept that the PEAP supplicant will accept because MSCHAPv2 requires that you actually provide the correct credentials. You can send an Access-Accept back to the access point, and even force an EAP-Success but the supplicant will probably refuse to connect because it only cares about the success notification from the MSCHAPv2 inner. Your only option is to run a separate open ssid with something like macauth. TTLS works because you're using a PAP inner method, and IIRC the keying material for WPA2 is derived from the SSL tunnel which can be estsblished without knowledge of the users password. If you tried TTLS-MSCHAPv2 it would fail. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
