'Re: Support for blank password in EAP/PEAP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Support for blank password in EAP/PEAP
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2022-06-09 13:03:32
Message-ID: E9D6221D-829E-42FE-A701-2795B6E465AE () deployingradius ! com
[Download RAW message or body]

On Jun 8, 2022, at 12:53 PM, sachin shetty <sachinshetty.r1@gmail.com> wrote:
> 
> I'm using freeradius for VPN and WIFI clients implementing a passwordless
> solution where users are only required to enter the username, and I want to
> authenticate users using MFA.
> I achieved the same using the VPN client as it uses PAP, and it succeeded.
> Whereas wrt to Wifi client where it uses EAP/PEAP; I'm observing the
> communication ends at Access-Challenge sent from radius server. i.e., the
> wifi client doesn't acknowledge the Challenge and ends up with a Login
> error.

  I would suspect that most WiFi clients won't work with empty passwords.

  PEAP requires that both client and server have the same password.  They prove to \
each other other that they know the password.

  This works when the passwords exist.  It's not really clear what would happen if \
the passwords don't exist.

> I even tried to set NT:Password to empty String md5 value (
> 0x31D6CFE0D16AE931B73C59D7E0C089C0), still vain attempt. Since the password
> is not received in the auth request and Challenge doesn't have the same
> information, does the wifi client ends the communication as soon as it
> receives Challenge?

  It looks that way.

  You can't fix the Wifi client, and you can't change its behaving.

> NOTE: The server certificate was imported and trusted before trying this
> operation and still when a blank password is sent in the Radius auth
> request, the handshake between client and server stops when the last
> Challenge is sent from the radius server.
> 
> Is this a valid scenario with what I'm trying to wrt the EAP/PEAP protocol?

  It's interesting, but I don't think it will work.

  Try it with a real password first, to be sure that the certificates, etc. are all \
correct.  Then if the "no password" test fails, you know the failure is due to a \
missing password, and not to anything else.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic