[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Support for blank password in EAP/PEAP
From: Alan DeKok <aland () deployingradius ! com>
Date: 2022-06-09 13:03:32
Message-ID: E9D6221D-829E-42FE-A701-2795B6E465AE () deployingradius ! com
[Download RAW message or body]
On Jun 8, 2022, at 12:53 PM, sachin shetty <sachinshetty.r1@gmail.com> wrote:
>
> I'm using freeradius for VPN and WIFI clients implementing a passwordless
> solution where users are only required to enter the username, and I want to
> authenticate users using MFA.
> I achieved the same using the VPN client as it uses PAP, and it succeeded.
> Whereas wrt to Wifi client where it uses EAP/PEAP; I'm observing the
> communication ends at Access-Challenge sent from radius server. i.e., the
> wifi client doesn't acknowledge the Challenge and ends up with a Login
> error.
I would suspect that most WiFi clients won't work with empty passwords.
PEAP requires that both client and server have the same password. They prove to \
each other other that they know the password.
This works when the passwords exist. It's not really clear what would happen if \
the passwords don't exist.
> I even tried to set NT:Password to empty String md5 value (
> 0x31D6CFE0D16AE931B73C59D7E0C089C0), still vain attempt. Since the password
> is not received in the auth request and Challenge doesn't have the same
> information, does the wifi client ends the communication as soon as it
> receives Challenge?
It looks that way.
You can't fix the Wifi client, and you can't change its behaving.
> NOTE: The server certificate was imported and trusted before trying this
> operation and still when a blank password is sent in the Radius auth
> request, the handshake between client and server stops when the last
> Challenge is sent from the radius server.
>
> Is this a valid scenario with what I'm trying to wrt the EAP/PEAP protocol?
It's interesting, but I don't think it will work.
Try it with a real password first, to be sure that the certificates, etc. are all \
correct. Then if the "no password" test fails, you know the failure is due to a \
missing password, and not to anything else.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic