Configuring WPA2-Enterprise with Freeradius
I'm trying to set up an authenticated wifi network with Freeradius. I've managed to get things working using self-signed certs etc.
The problem is Windows clients need to uncheck the "Automatically use my windows logon name and password [etc.]" option in the MSCHAPv2 settings. When I connect to my local university with Eduroam, it automatically asks for a username and password instead of sending windows login credentials. How did the sysadmins accomplish this? Is it some kind of RADIUS Attribute that gets sent back?
Solution 1:
This is more of an answer to the comments than the question, but putting it here so I can format it:
You could use the DEFAULT entry in your users file along with a huntgroup to match users based on the username provided.
First step would be to run radiusd in debug mode radiusd -X
and capture the format which the username comes in as when it's authenticating as the logged in user, iirc it's something like /hostname$/account.
You can then specify the huntgroup in $raddbdir/huntgroups
using a regular expression:
badusers User-Name =~ ^aregex.*$
Then add the huntgroup to a rule with an access-reject return type in the users
file.
DEFAULT Huntgroup-Name == badusers, Auth-Type := Reject
Whether this will cause Windows to prompt for a username and password depends on your NAS and the Windows WPA supplicant.