Hi. I have discovered that my goal is possible. However, I had to change the
way I was thinking about the authentication. Essentially, the rlm_perl script
does not perform the password comparison--it only retrieves the password and
makes it available to the mschap module.
Summary: Yes, you can authenticate Windows clients with WPA2 PEAP using a perl
script.
--
Ray Eads
-Original Message-
From: freeradius-users-bounces+reads=sno-isle@lists.freeradius.org
[mailto:freeradius-users-bounces+reads=sno-isle@lists.freeradius.org] On
Behalf Of Ray Eads
Sent: Monday, December 05, 2011 14:30
To: 'freeradius-users@lists.freeradius.org'
Subject: wpa2 freeradius peap rlm_perl
Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use
freeradius to accomplish a specific authentication goal, and haven't met with
success yet. I'm assuming this is either because the configuration is
difficult, or I'm trying to solve the problem the wrong way, or I don't
understand the protocols, or a combination of all three.
Essentially, I'd like to have an access point offer WPA2 Enterprise
authentication to wireless devices of various makes and models. I'd like the
user to submit for traditional username/password authentication to the radius
server (without a client side certificate). I'm able to produce a yes/no
answer with an rlm_perl script that functions as expected with a normal radius
query. My problem is that I haven't been able to connect that rlm script
properly when freeradius is contacted as part of an EAP message.
>From what I can tell, my choice of Windows compatible EAP types is fairly
>limited. I've used PEAP in the past, but only with the intended AD repository
>of passwords. With this application, I'd like to use the rlm_perl script
>instead of AD accounts as a source of usernames and passwords.
Big picture-wise, am I on the right path, or is this fundamentally the wrong
way? I'm imagining a PEAP -> rlm_perl configuration.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html