9

I'm trying to set up an authenticated wifi network with Freeradius. I've managed to get things working using self-signed certs etc.

The problem is Windows clients need to uncheck the "Automatically use my windows logon name and password [etc.]" option in the MSCHAPv2 settings. When I connect to my local university with Eduroam, it automatically asks for a username and password instead of sending windows login credentials. How did the sysadmins accomplish this? Is it some kind of RADIUS Attribute that gets sent back?

Gert van den Berg
  • 175
  • 8
Vincent O.
  • 91
  • 2
  • Have you tried emailing the administrators of your University's Eduroam? – Michael Feb 03 '12 at 17:22
  • I have emailed my national eduroam administrator, no answer so far. – Vincent O. Feb 18 '12 at 15:29
  • It may be just that, when the initial credentials get sent, RADIUS kicks back Access-Reject so Windows decides to prompt the user instead of sending the other credentials again. Are you using SecureW2 or something else? – Michael Feb 18 '12 at 21:21
  • -edit- Now it's broken again. I am using the Win7 native supplicant. How do I send back Access-Reject? Can I use the DEFAULT entry in the users config file for that and if so, how? – Vincent O. Feb 22 '12 at 16:27
  • Every guide I've seen for Eduroam requires you to make the same changes to the configuration profile for Eduroam. – Zanchey Oct 04 '12 at 13:15
  • Which version of freeradius are you running? 2.1.11 added support for send_error in mschapv2 which might be what you are after. – JasperWallace Apr 01 '13 at 16:46

1 Answers1

2

This is more of an answer to the comments than the question, but putting it here so I can format it:

You could use the DEFAULT entry in your users file along with a huntgroup to match users based on the username provided.

First step would be to run radiusd in debug mode radiusd -X and capture the format which the username comes in as when it's authenticating as the logged in user, iirc it's something like /hostname$/account.

You can then specify the huntgroup in $raddbdir/huntgroups using a regular expression:

badusers User-Name =~ ^aregex.*$

Then add the huntgroup to a rule with an access-reject return type in the users file.

DEFAULT Huntgroup-Name == badusers, Auth-Type := Reject

Whether this will cause Windows to prompt for a username and password depends on your NAS and the Windows WPA supplicant.

James Yale
  • 5,042
  • 1
  • 16
  • 20