Configuring WPA2-Enterprise with Freeradius

I'm trying to set up an authenticated wifi network with Freeradius. I've managed to get things working using self-signed certs etc.

The problem is Windows clients need to uncheck the "Automatically use my windows logon name and password [etc.]" option in the MSCHAPv2 settings. When I connect to my local university with Eduroam, it automatically asks for a username and password instead of sending windows login credentials. How did the sysadmins accomplish this? Is it some kind of RADIUS Attribute that gets sent back?


Solution 1:

This is more of an answer to the comments than the question, but putting it here so I can format it:

You could use the DEFAULT entry in your users file along with a huntgroup to match users based on the username provided.

First step would be to run radiusd in debug mode radiusd -X and capture the format which the username comes in as when it's authenticating as the logged in user, iirc it's something like /hostname$/account.

You can then specify the huntgroup in $raddbdir/huntgroups using a regular expression:

badusers User-Name =~ ^aregex.*$

Then add the huntgroup to a rule with an access-reject return type in the users file.

DEFAULT Huntgroup-Name == badusers, Auth-Type := Reject

Whether this will cause Windows to prompt for a username and password depends on your NAS and the Windows WPA supplicant.