On 02/12/2014 03:00 PM, Waßerroth, Stephan wrote: > Now we want to set up an additional WLAN-SSID, which uses enterprise-WPA2 (so > it is encrypted without preshared keys) but allows everyone access regardless > of the username and password. The user still must enter an username/password > combination on connect, but any combination entered should be accepted. This > must work for a lot of devices, so PEAP and TTLS should work at least.
You can make this work for protocols such as EAP-TTLS/PAP which require no proof from the server that the server actually knows the user's credentials (password). In other words, PEAP/EAP-MSCHAP-V2 creates a problem because the v2 part means that the server has to provide the client a response that is calculated based on the user's credentials. If the server does not know the credentials, the client will refuse to continue with the authentication. > I've tried a lot of various configurations (similar to the eduroam > configuration for EAP and MSCHAP-v2). I did not get it working (using > something with AuthBy INTERNAL). All my variations using AuthBy INTERNAL did > not work at all. You could try with AuthBy FILE with just DEFAULT entry in the users file. If the entry has no User-Password check item, you should get success with EAP-TTLS/PAP. With some trickery, you might be able to get PEAP/EAP-MSCHAP-V2 working when the users give the same value for username and password. The trick here would be to create a hook or something similar that would provide MSCHAP-V2 the username as password. > Any hint, how to proceed, is greatly appreciated -- Thanks! The above might help with getting the credential check working/bypassed. This still leaves out how the users will cope with certificate dialogs and warnings and if it's a good to create such systems. But this is more of a policy and political issue and I won't move further to that area :) Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
