Hi *,
our current use of Radiator (4.12.1) is for "eduroam", so we have a working
configuration according to the eduroam-Cookbook allowing users with (nearly...)
any WLAN-equipment to authenticate either against our Windows-AD (for our own
user database) or against their home organization (for guests).
Now we want to set up an additional WLAN-SSID, which uses enterprise-WPA2 (so
it is encrypted without preshared keys) but allows everyone access regardless
of the username and password. The user still must enter an username/password
combination on connect, but any combination entered should be accepted. This
must work for a lot of devices, so PEAP and TTLS should work at least.
I've tried a lot of various configurations (similar to the eduroam
configuration for EAP and MSCHAP-v2). I did not get it working (using something
with AuthBy INTERNAL). All my variations using AuthBy INTERNAL did not work at
all.
Any hint, how to proceed, is greatly appreciated -- Thanks!
For the curious, the reason behind the setup is twofold:
- instead using an open network, we want to use encryption, but still allow
anyone access to the network.
- authorization is handled quite different (e.g. by using MAC addresses of the
client station with AuthenticateAttribute Calling-Station-Id) together with
captive gateways...
This is the current configuration, which works for "eduroam"-Access and the
local Realm "thereal.domain.de" as expected, but does not work for the "ewpa2"
WLAN (all identities have been changed):
# sof #
Foreground
LogDir /var/log/radius
DbDir /etc/radiator
DictionaryFile %D/dictionary
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 3
AuthPort 1812
AcctPort 1813
# for testing...
<Client localhost>
Secret any
DupInterval 0
</Client>
# all the WLAN-APs in our network...
<Client 192.168.0.0/24>
Secret any
Identifier WLAN-APs
</Client>
# this radius server itself...
<Client 10.0.0.3>
Secret any
Identifier radsrv
</Client>
# the federated top level RADIUS server...
<Client 193...1>
Secret any
Identifier radius1
</Client>
<Client 193...2>
Secret any
Identifier radius2
</Client>
# local users are validated against LDAP/AD...
## following works only, if machine is joined to domain!!
<AuthBy NTLM>
UsernameMatchesWithoutRealm
EAPType MSCHAP-V2
Identifier AuthNTLM
</AuthBy>
# accept anyone authentication handler...
# A handler, which authenticates any username and any password...
<AuthBy INTERNAL>
Identifier AllowEveryone
DefaultResult ACCEPT
AuthResult ACCEPT
</AuthBy>
# Handler for test equipment WLAN ewpa2
<Handler Called-Station-Id = /ewpa2/, EAP-Message=/.+/>
AuthByPolicy ContinueWhileAcceptOrChallenge
# first check the MAC address of device...
<AuthBy FILE>
AuthenticateAttribute Calling-Station-Id
Filename %D/ewpa2_users
Nocache
NoEAP
NoCheckPassword
</AuthBy>
# then handly the WPA2-authentication methods...
<AuthBy FILE>
EAPType TLS, TTLS, PEAP
# config for PEAP, TTLS users
Nocache
##AcceptIfMissing
##NoCheckPassword
##UsernameMatchesWithoutRealm
Filename %D/ewpa2_users
EAPAnonymous anonymous@ewpa2
EAPTLS_CAFile %D/CA_chain.pem
EAPTLS_CertificateFile %D/radsrv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/radsrv.key
##EAPTLS_PrivateKeyPassword removed_from_file
EAPTLS_PEAPVersion 0
EAPTLS_MaxFragmentSize 1000
EAPTTLS_NoAckRequired
AutoMPPEKeys
# config for TLS users
EAPTLS_NoCheckId
EAPTLS_CRLCheck
EAPTLS_CRLFile %D/crl.pem
EAPTLS_SessionResumption 0
# general SSL trace, seems not to work...
SSLeayTrace 7
</AuthBy>
AcctLogFileName %L/detail-ewpa2
</Handler>
# Handler for PEAP and TTLS tunnels on WLAN ewpa2, accepting any username and
password...
<Handler TunnelledByPEAP=1, Realm=/ewpa2$/i>
<AuthBy FILE>
##Nocache
AcceptIfMissing
NoCheckPassword
UsernameMatchesWithoutRealm
Filename %D/ewpa2_users
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1, Realm=/ewpa2$/i>
<AuthBy FILE>
##Nocache
AcceptIfMissing
NoCheckPassword
UsernameMatchesWithoutRealm
Filename %D/ewpa2_users
EAPType MSCHAP-V2
</AuthBy>
</Handler>
# Handler for PEAP...
<Handler TunnelledByPEAP=1, Realm=/thereal\.domain\.de$/i>
<AuthBy GROUP>
AuthByPolicy ContinueUntilAcceptOrChallenge
AuthBy AuthNTLM
</AuthBy>
</Handler>
# Handler for TTLS...
<Handler TunnelledByTTLS=1, Realm=/thereal\.domain\.de$/i>
<AuthBy GROUP>
AuthByPolicy ContinueUntilAcceptOrChallenge
AuthBy AuthNTLM
</AuthBy>
</Handler>
# Handler for employees...
<Handler Realm=/thereal\.domain\.de$/i>
## TTLS and PEAP (Microsoft...) users use username/password,
## TLS users use certificates, all handled in one handler...
<AuthBy FILE>
EAPType TLS, TTLS, PEAP
# config for PEAP, TTLS users
Filename %D/dot1x_anon
EAPAnonymous [email protected]
EAPTLS_CAFile %D/CA_chain.pem
EAPTLS_CertificateFile %D/radsrv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/radsrv.key
#EAPTLS_PrivateKeyPassword removed_from_file
EAPTLS_PEAPVersion 0
EAPTLS_MaxFragmentSize 1000
EAPTTLS_NoAckRequired
AutoMPPEKeys
# config for TLS users
EAPTLS_NoCheckId
EAPTLS_CRLCheck
EAPTLS_CRLFile %D/crl.pem
EAPTLS_SessionResumption 0
# general SSL trace, seems not to work...
SSLeayTrace 7
</AuthBy>
AcctLogFileName %L/detail-local
</Handler>
# Handler for guests, forwarding anything else to federated radius servers...
##<Handler Realm=/^.+$/, Client-Identifier=/^(?!radsrv$)/>
<Handler Realm=/^.+$/>
<AuthBy RADIUS>
Identifier radius1
RetryTimeout 3
Retries 1
FailureBackoffTime 0
UseExtendedIds
<Host radius1>
AuthPort 1812
Secret any
</Host>
</AuthBy>
<AuthBy RADIUS>
Identifier radius2
RetryTimeout 3
Retries 1
FailureBackoffTime 0
UseExtendedIds
<Host radius2>
AuthPort 1812
Secret any
</Host>
</AuthBy>
AcctLogFileName %L/detail-guests
</Handler>}
# eof #
The users file "ewpa2_users" contains:
# sof #
# List of users: anonymous for outer EAP...
anonymous
anonymous@ewpa2
# the entry used by AuthBy INTERNAL...
DEFAULT Auth-Type=AllowEveryone
# List of MAC addresses allowed connecting to WLAN FOKUS-ewpa2
001300130013
001400140014
# eof #
Thanks and regards,
--
Stephan Waßerroth
Head of Core IT-Services
Fraunhofer-Fokus | Kaiserin-Augusta-Allee 31 | D-10589 Berlin
e-mail: [email protected]
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
