Hi everyone!
I’m busy configuring a fleet of CAP devices to authenticate with a corporate FreeRadius server. Following all instructions I can find on the Wiki and beyond, I simply can’t get the CAPs to behave properly. They’re being managed via CAPSman. The problem is that although wireless clients recognise that EAP is required and collect credentials, the CAPs are not passing through the password to the RADIUS server. There’s no password at all, not in the clear, not in the form of a CHAP challenge, nothing. I’ve checked every available option and it simply won’t send the password. Could others who have managed to get this working please share snippets of their working configuration?
My RADIUS config on the CAPSman server:
/radius
add address=10.123.123.124 secret=testing123 service=ppp,login,hotspot,wireless,dot1x src-address=10.123.123.123
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough eap-radius-accounting=yes encryption=aes-ccm group-encryption=aes-ccm name=cvp_enterprise passphrase=testing567 tls-mode=no-certificates
Here’s what’s being forwarded to RADIUS:
rad_recv: Access-Request packet from host 10.123.123.123 port 36521, id=13, length=157
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = “myusername”
NAS-Port-Id = “cap57”
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = “82000008”
Calling-Station-Id = “38-F9-D3-81-1F-F3”
Called-Station-Id = “73-5C-28-B6-BC-D1:CVP Test”
EAP-Message = 0x02020007016a64
Message-Authenticator = 0xd2a26e86eeadcbb0904a81ac73765882
NAS-Identifier = “my-switch”
NAS-IP-Address = 10.123.123.123
As you can see - it’s sending the username, but no password in sight. Any help appreciated!