Haha! I've got it working. I moved most of the stuff you guys wanted in sites-enabled/default into sites-enabled/inner-tunnel and it works. default decrypts/whatever the eap stuff, and passes that into inner tunnel, which does the api stuff to actually auth the user. Still need to work out some kinks (most of which are probably because I'm using postgresql instead of some more mainstream stuff [like no function unix_timestamp and such]).
On Saturday, November 17, 2018 at 8:58:07 PM UTC-6, 2stacks wrote: > > Hmm. Grab a wireshark capture of a request using radtest for comparison. > Ill have to do some research on the Meraki MT24's. > > On Sat, Nov 17, 2018, 6:19 PM Marty Plummer <[email protected] > <javascript:> wrote: > >> Nothing in there that I can see that looks like that. Do you mean an md5 >> hash like say 'echo -n PasswordGoesHere | md5sum' or one of those salted >> ones? >> >> On Saturday, November 17, 2018 at 5:14:15 PM UTC-6, 2stacks wrote: >>> >>> Yes, sorry I meant NAS. You should see an md5 hash of the password in >>> the access request packet. Use wireshark to decode each packet type. That >>> always helps me. >>> >>> https://wiki.freeradius.org/protocol/Access-Request >>> >>> On Sat, Nov 17, 2018, 5:53 PM Marty Plummer <[email protected] wrote: >>> >>>> Oh wait, do you mean the NAS? Those are all Cisco Meraki MT24's running >>>> OpenWRT >>>> (hopefully once I get this sorted I'll be able to manage them with >>>> openwisp). I've managed >>>> to get a capture of one of the packets, I'm not seeing a User-Password >>>> attribute at all. >>>> >>>> 22:42:45.609551 IP (tos 0x0, ttl 63, id 12096, offset 0, flags [none], >>>> proto UDP (17), length 225) >>>> 10.141.99.51.41461 > 23684b3bc3a7.1812: [udp sum ok] RADIUS, >>>> length: 197 >>>> Access-Request (1), id: 0x88, Authenticator: >>>> 6841fe060f8f623bdc8c09250ccc73e8 >>>> User-Name Attribute (1), length: 10, Value: aleath56 >>>> 0x0000: 616c 6561 7468 3536 >>>> Called-Station-Id Attribute (30), length: 31, Value: >>>> 8A-DC-96-07-AF-F5:GoodSamWifi >>>> 0x0000: 3841 2d44 432d 3936 2d30 372d 4146 2d46 >>>> 0x0010: 353a 476f 6f64 5361 6d57 6966 69 >>>> NAS-Port-Type Attribute (61), length: 6, Value: Wireless - >>>> IEEE 802.11 >>>> 0x0000: 0000 0013 >>>> Service-Type Attribute (6), length: 6, Value: Framed >>>> 0x0000: 0000 0002 >>>> NAS-Port Attribute (5), length: 6, Value: 1 >>>> 0x0000: 0000 0001 >>>> Calling-Station-Id Attribute (31), length: 19, Value: >>>> C0-EE-FB-5B-6A-1F >>>> 0x0000: 4330 2d45 452d 4642 2d35 422d 3641 2d31 >>>> 0x0010: 46 >>>> Connect-Info Attribute (77), length: 24, Value: CONNECT >>>> 54Mbps 802.11a >>>> 0x0000: 434f 4e4e 4543 5420 3534 4d62 7073 2038 >>>> 0x0010: 3032 2e31 3161 >>>> Acct-Session-Id Attribute (44), length: 18, Value: >>>> 3397D5BA38CC6B22 >>>> 0x0000: 3333 3937 4435 4241 3338 4343 3642 3232 >>>> Unknown Attribute (186), length: 6, Value: >>>> 0x0000: 000f ac04 >>>> Unknown Attribute (187), length: 6, Value: >>>> 0x0000: 000f ac04 >>>> Unknown Attribute (188), length: 6, Value: >>>> 0x0000: 000f ac01 >>>> Framed-MTU Attribute (12), length: 6, Value: 1400 >>>> 0x0000: 0000 0578 >>>> EAP-Message Attribute (79), length: 15, Value: .. >>>> 0x0000: 02e6 000d 0161 6c65 6174 6835 36 >>>> Message-Authenticator Attribute (80), length: 18, Value: >>>> .....qV....Q...G >>>> 0x0000: aab7 b311 a071 5616 16cc ff51 e72e 0847 >>>> >>>> >>>> >>>> On Saturday, November 17, 2018 at 4:20:01 PM UTC-6, Marty Plummer wrote: >>>>> >>>>> Clients are varied, I've tried with android (running lineageos, >>>>> relatively recent update) and >>>>> windows 10 (yeah, I kinda expect that to be fucky). I also have some >>>>> users using various >>>>> mac hardware. The only thing that tests correctly is radtest and >>>>> manual curl's. >>>>> >>>>> On Saturday, November 17, 2018 at 3:54:25 PM UTC-6, 2stacks wrote: >>>>>> >>>>>> Apologies if Im asking things you've already answered but what is the >>>>>> client that should be sending the password? Have you tried capturing >>>>>> the >>>>>> traffic to see if the password is being sent? Did you say if testing >>>>>> with >>>>>> radtest works? Perhaps its not a freeradius config issue but something >>>>>> wonky with the client. >>>>>> >>>>>> On Sat, Nov 17, 2018, 4:33 PM Marty Plummer <[email protected] >>>>>> wrote: >>>>>> >>>>>>> Even with using exactly and only what you have in the >>>>>>> authorize...etc sections of >>>>>>> sites-available/default, %{User-Password} still expands to empty. >>>>>>> There has been >>>>>>> no change to that regardless of what suggested changes I've made. >>>>>>> >>>>>>> On Saturday, November 17, 2018 at 1:42:08 PM UTC-6, Federico Capoano >>>>>>> wrote: >>>>>>>> >>>>>>>> PS: >>>>>>>> >>>>>>>> On Saturday, November 17, 2018 at 8:28:29 PM UTC+1, Marty Plummer >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> So is that authorize section the entire thing? as in, comment >>>>>>>>> out/delete the defaults and >>>>>>>>> replace it with that? >>>>>>>>> >>>>>>>> >>>>>>>> Yes >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "OpenWISP" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "OpenWISP" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "OpenWISP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
