[RADIATOR] Unconditionally accepting any user/password combination for an enterprise-WPA2 WLAN

Heikki Vatiainen hvn at open.com.au
Thu Feb 13 03:09:55 CST 2014 

On 02/12/2014 03:00 PM, Waßerroth, Stephan wrote:

> Now we want to set up an additional WLAN-SSID, which uses enterprise-WPA2 (so it is encrypted without preshared keys) but allows everyone access regardless of the username and password. The user still must enter an username/password combination on connect, but any combination entered should be accepted. This must work for a lot of devices, so PEAP and TTLS should work at least.

You can make this work for protocols such as EAP-TTLS/PAP which require
no proof from the server that the server actually knows the user's
credentials (password).

In other words, PEAP/EAP-MSCHAP-V2 creates a problem because the v2 part
means that the server has to provide the client a response that is
calculated based on the user's credentials. If the server does not know
the credentials, the client will refuse to continue with the authentication.

> I've tried a lot of various configurations (similar to the eduroam configuration for EAP and MSCHAP-v2). I did not get it working (using something with AuthBy INTERNAL). All my variations using AuthBy INTERNAL did not work at all.	

You could try with AuthBy FILE with just DEFAULT entry in the users
file. If the entry has no User-Password check item, you should get
success with EAP-TTLS/PAP.

With some trickery, you might be able to get PEAP/EAP-MSCHAP-V2 working
when the users give the same value for username and password. The trick
here would be to create a hook or something similar that would provide
MSCHAP-V2 the username as password.

> Any hint, how to proceed, is greatly appreciated -- Thanks!

The above might help with getting the credential check working/bypassed.
This still leaves out how the users will cope with certificate dialogs
and warnings and if it's a good to create such systems. But this is more
of a policy and political issue and I won't move further to that area :)

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list