RE: EAP and automatically authenticating users
Looks like this in the inner-tunnel works for automatically authorizing and
setting up unknown usernames and passwords.
update control {
Auth-Type := Accept
}
update outer.reply {
Framed-Filter-Id := Test
}
-Original Message-
From:
freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of David Peterson
Sent: Thursday, May 17, 2012 9:49 AM
To: 'FreeRadius users mailing list'
Subject: RE: EAP and automatically authenticating users
Awesome!
Would you put the reply in there as well for Framed-Filter-Id?
David
-Original Message-
From:
freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius
freeradius-users-bounces+.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of Phil Mayers
Sent: Thursday, May 17, 2012 8:34 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: EAP and automatically authenticating users
On 17/05/12 12:18, David Peterson wrote:
> They are currently using EAP-TTLS. I tried to add something in last
> night but either the lateness of the evening or my skills were not up
> to par. Where would you add the access-accept?
Something like this in "sites-available/inner-tunnel":
authorize {
...
# check the username, and also check the request is PAP
# i.e. there's a User-Password sent from the client
if ((User-Name == permit) && (User-Password)) {
update control {
Auth-Type := Accept
}
}
...
}
There are other variants; the list of users could be in SQL, LDAP, files,
etc.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and automatically authenticating users
Awesome!
Would you put the reply in there as well for Framed-Filter-Id?
David
-Original Message-
From:
freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of Phil Mayers
Sent: Thursday, May 17, 2012 8:34 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: EAP and automatically authenticating users
On 17/05/12 12:18, David Peterson wrote:
> They are currently using EAP-TTLS. I tried to add something in last
> night but either the lateness of the evening or my skills were not up
> to par. Where would you add the access-accept?
Something like this in "sites-available/inner-tunnel":
authorize {
...
# check the username, and also check the request is PAP
# i.e. there's a User-Password sent from the client
if ((User-Name == permit) && (User-Password)) {
update control {
Auth-Type := Accept
}
}
...
}
There are other variants; the list of users could be in SQL, LDAP, files,
etc.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and automatically authenticating users
On 17/05/12 12:18, David Peterson wrote:
They are currently using EAP-TTLS. I tried to add something in last
night but either the lateness of the evening or my skills were not up to
par. Where would you add the access-accept?
Something like this in "sites-available/inner-tunnel":
authorize {
...
# check the username, and also check the request is PAP
# i.e. there's a User-Password sent from the client
if ((User-Name == permit) && (User-Password)) {
update control {
Auth-Type := Accept
}
}
...
}
There are other variants; the list of users could be in SQL, LDAP,
files, etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and automatically authenticating users
They are currently using EAP-TTLS. I tried to add something in last night but either the lateness of the evening or my skills were not up to par. Where would you add the access-accept? David From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Alberto Martínez Sent: Thursday, May 17, 2012 4:25 AM To: FreeRadius users mailing list Subject: Re: EAP and automatically authenticating users Or, you can use EAP-TLS. -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and automatically authenticating users
Or, you can use EAP-TLS. -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and automatically authenticating users
On 05/17/2012 06:15 AM, David Peterson wrote: I have a couple of users who have unknown usernames and passwords. They are also using EAP-TTLS for authentication. Is there a way to automatically authenticate all of them and if so, can I also send the Framed-Filter-Id attribute with the authentication response as if the user were truly authorized. If they are doing EAP-TTLS/PAP, yes - you can force "Auth-Type = Accept" in the inner tunnel, and send any reply attribute you like including Framed-Filter-Id. For any other EAP type/combination, no. They're all challenge/response mechanisms that require successful completion of the cryptographic exchange, which requires shared secrets (passwords). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and automatically authenticating users
I have a couple of users who have unknown usernames and passwords. They are also using EAP-TTLS for authentication. Is there a way to automatically authenticate all of them and if so, can I also send the Framed-Filter-Id attribute with the authentication response as if the user were truly authorized. David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
