[RADIATOR] Unconditionally accepting any user/password combination for an enterprise-WPA2 WLAN

Waßerroth, Stephan stephan.wasserroth at fokus.fraunhofer.de
Wed Feb 12 07:00:03 CST 2014 

Hi *,

our current use of Radiator (4.12.1) is for "eduroam", so we have a working configuration according to the eduroam-Cookbook allowing users with (nearly...) any WLAN-equipment to authenticate either against our Windows-AD (for our own user database) or against their home organization (for guests).

Now we want to set up an additional WLAN-SSID, which uses enterprise-WPA2 (so it is encrypted without preshared keys) but allows everyone access regardless of the username and password. The user still must enter an username/password combination on connect, but any combination entered should be accepted. This must work for a lot of devices, so PEAP and TTLS should work at least.

I've tried a lot of various configurations (similar to the eduroam configuration for EAP and MSCHAP-v2). I did not get it working (using something with AuthBy INTERNAL). All my variations using AuthBy INTERNAL did not work at all.	

Any hint, how to proceed, is greatly appreciated -- Thanks!

For the curious, the reason behind the setup is twofold:
- instead using an open network, we want to use encryption, but still allow anyone access to the network.
- authorization is handled quite different (e.g. by using MAC addresses of the client station with AuthenticateAttribute Calling-Station-Id) together with captive gateways...

This is the current configuration, which works for "eduroam"-Access and the local Realm "thereal.domain.de" as expected, but does not work for the "ewpa2" WLAN (all identities have been changed):

# sof #
Foreground
LogDir		/var/log/radius
DbDir		/etc/radiator
DictionaryFile	%D/dictionary

# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 		3

AuthPort	1812
AcctPort	1813

# for testing...
<Client localhost>
	Secret		any
	DupInterval	0
</Client>

# all the WLAN-APs in our network...
<Client 192.168.0.0/24>
	Secret			any
	Identifier		WLAN-APs
</Client>

# this radius server itself...
<Client 10.0.0.3>
	Secret			any
	Identifier		radsrv
</Client>

# the federated top level RADIUS server...
<Client 193...1>
	Secret			any
	Identifier		radius1
</Client>
<Client 193...2>
	Secret			any
	Identifier		radius2
</Client>

# local users are validated against LDAP/AD...
## following works only, if machine is joined to domain!!
<AuthBy NTLM>
	UsernameMatchesWithoutRealm
	EAPType 		MSCHAP-V2
	Identifier		AuthNTLM
</AuthBy>

# accept anyone authentication handler...
# A handler, which authenticates any username and any password...
<AuthBy INTERNAL>
	Identifier	AllowEveryone
	DefaultResult	ACCEPT
	AuthResult	ACCEPT
</AuthBy>


# Handler for test equipment WLAN ewpa2
<Handler Called-Station-Id = /ewpa2/, EAP-Message=/.+/>
	AuthByPolicy	ContinueWhileAcceptOrChallenge
	# first check the MAC address of device...
	<AuthBy FILE>
		AuthenticateAttribute	Calling-Station-Id
		Filename		%D/ewpa2_users
		Nocache
		NoEAP
		NoCheckPassword
	</AuthBy>

	# then handly the WPA2-authentication methods...
	<AuthBy FILE>
		EAPType			TLS, TTLS, PEAP
		# config for PEAP, TTLS users
		Nocache
		##AcceptIfMissing
		##NoCheckPassword
		##UsernameMatchesWithoutRealm
		Filename		%D/ewpa2_users
		EAPAnonymous		anonymous at ewpa2
		EAPTLS_CAFile		%D/CA_chain.pem
		EAPTLS_CertificateFile	%D/radsrv.pem
		EAPTLS_CertificateType	PEM
		EAPTLS_PrivateKeyFile	%D/radsrv.key
		##EAPTLS_PrivateKeyPassword	removed_from_file
		EAPTLS_PEAPVersion	0
		EAPTLS_MaxFragmentSize	1000
		EAPTTLS_NoAckRequired
		AutoMPPEKeys
		# config for TLS users
		EAPTLS_NoCheckId
		EAPTLS_CRLCheck
		EAPTLS_CRLFile		%D/crl.pem
		EAPTLS_SessionResumption	0
		# general SSL trace, seems not to work...
		SSLeayTrace		7
	</AuthBy>
	AcctLogFileName		%L/detail-ewpa2
</Handler>

# Handler for PEAP and TTLS tunnels on WLAN ewpa2, accepting any username and password...
<Handler TunnelledByPEAP=1, Realm=/ewpa2$/i>
	<AuthBy FILE>
		##Nocache
		AcceptIfMissing
		NoCheckPassword
		UsernameMatchesWithoutRealm
		Filename	%D/ewpa2_users
		EAPType		MSCHAP-V2
	</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1, Realm=/ewpa2$/i>
	<AuthBy FILE>
		##Nocache
		AcceptIfMissing
		NoCheckPassword
		UsernameMatchesWithoutRealm
		Filename	%D/ewpa2_users
		EAPType		MSCHAP-V2
	</AuthBy>
</Handler>

# Handler for PEAP...
<Handler TunnelledByPEAP=1, Realm=/thereal\.domain\.de$/i>
	<AuthBy	GROUP>
		AuthByPolicy	ContinueUntilAcceptOrChallenge
		AuthBy		AuthNTLM
	</AuthBy>
</Handler>

# Handler for TTLS...
<Handler TunnelledByTTLS=1, Realm=/thereal\.domain\.de$/i>
	<AuthBy GROUP>
		AuthByPolicy    ContinueUntilAcceptOrChallenge
		AuthBy          AuthNTLM
	</AuthBy>
</Handler>


# Handler for  employees...
<Handler Realm=/thereal\.domain\.de$/i>
	## TTLS and PEAP (Microsoft...) users use username/password,
	## TLS users use certificates, all handled in one handler...
	<AuthBy FILE>
		EAPType			TLS, TTLS, PEAP
		# config for PEAP, TTLS users
		Filename		%D/dot1x_anon
		EAPAnonymous		anonymous at thereal.domain.de
		EAPTLS_CAFile		%D/CA_chain.pem
		EAPTLS_CertificateFile	%D/radsrv.pem
		EAPTLS_CertificateType	PEM
		EAPTLS_PrivateKeyFile	%D/radsrv.key
		#EAPTLS_PrivateKeyPassword	removed_from_file
		EAPTLS_PEAPVersion	0
		EAPTLS_MaxFragmentSize	1000
		EAPTTLS_NoAckRequired
		AutoMPPEKeys
		# config for TLS users
		EAPTLS_NoCheckId
		EAPTLS_CRLCheck
		EAPTLS_CRLFile          %D/crl.pem
		EAPTLS_SessionResumption        0
		# general SSL trace, seems not to work...
		SSLeayTrace		7
	</AuthBy>
	AcctLogFileName		%L/detail-local
</Handler>


# Handler for guests, forwarding anything else to federated radius servers...
##<Handler Realm=/^.+$/, Client-Identifier=/^(?!radsrv$)/>
<Handler Realm=/^.+$/>
	<AuthBy RADIUS>
		Identifier		radius1
		RetryTimeout		3
		Retries			1
		FailureBackoffTime	0
		UseExtendedIds
		<Host radius1>
			AuthPort	1812
			Secret		any
		</Host>
	</AuthBy>
	<AuthBy RADIUS>
		Identifier		radius2
		RetryTimeout		3
		Retries			1
		FailureBackoffTime	0
		UseExtendedIds
		<Host radius2>
			AuthPort	1812
			Secret		any
		</Host>
	</AuthBy>
	AcctLogFileName		%L/detail-guests
</Handler>}
# eof #


The users file "ewpa2_users" contains:

# sof #
# List of users: anonymous for outer EAP...
anonymous
anonymous at ewpa2

# the entry used by AuthBy INTERNAL...
DEFAULT Auth-Type=AllowEveryone

# List of MAC addresses allowed connecting to WLAN FOKUS-ewpa2
001300130013
001400140014
# eof #

Thanks and regards,

--
   Stephan Waßerroth
Head of Core IT-Services
Fraunhofer-Fokus | Kaiserin-Augusta-Allee 31 | D-10589 Berlin
e-mail: stephan.wasserroth at fokus.fraunhofer.de

More information about the radiator mailing list