Greetings,
We had our FreeIPA configuration implode a while back, so the decision was made
to switch our Linux servers to using realm and sssd for authentication. No
real issues until they switched the server that Radiator was running on, which
broke wireless authentication:
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected
for adoe2: EAP MSCHAP-V2 Authentication failure
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected
for adoe2: PEAP Authentication Failure
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not
authenticate user 'adoe2': The specified account does not exist.
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17
14:01:15 2023: wifi: FAIL: adoe2: adoe2: 140.107.6.10: cf-wlc: Access-Request:
a4-83-e7-58-60-75: a0-93-51-a9-fc-c0:Marconi
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17
14:01:15 2023: wifi: FAIL: adoe2: adoe2: : cf-wlc: Access-Request:
a4-83-e7-58-60-75:
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected
for jdoe: EAP MSCHAP-V2 Authentication failure
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected
for jdoe: PEAP Authentication Failure
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not
authenticate user 'jdoe': The specified account does not exist.
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17
14:01:16 2023: wifi: FAIL: jdoe: jdoe: 140.107.6.10: cf-wlc: Access-Request:
3c-22-fb-e2-d1-70: 68-3b-78-d6-5c-20:Marconi
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17
14:01:16 2023: wifi: FAIL: jdoe: jdoe: : cf-wlc: Access-Request:
3c-22-fb-e2-d1-70:
Jun 17 14:01:17 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not
authenticate user 'jsmith': The specified account does not exist.
So, I logged in to see what changes were made and concluded that switching to
realm / sssd meant that since our wifi was using PEAP and AuthBy NTLM ....
that wouldn't work any longer. Anyway, I reverted to the previous
configuration (snapshots are great). So, the immediate problem is solved.
The real question -- can I redo my PEAP configuration to work with Kerberos?
Looking at the samples in goodies, I see krb5.conf, but it contains:
# Works with RADIUS-PAP, TTLS-PAP.
I see the heimdal config, but am not sure how that relates to Kerberos. Can I
refashion that to work with my AD?
Handler section from my radiator config:
#####################################################################
# Handlers
#####################################################################
#
#### Wireless Clients using PEAP #####
# The most popular method, suported by default by Windows. Does not require a
client-side cert and is thus considered less secure
# than EAP-TLS
<Handler TunnelledByPEAP=1>
RejectHasReason
AuthLog wifi-authlog
<AuthBy NTLM>
include /etc/radiator/eap.txt
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Domain XXXXX
DefaultDomain XXXXX
EAPType MSCHAP-V2
</AuthBy>
</Handler>
#### Outer Handler #####
# When clients check the 'Validate Server Certificate' (or equivalent), then
this stanza plays a key role
<Handler>
AuthByPolicy ContinueUntilAccept
AuthLog wifi-authlog
RejectHasReason
<AuthBy FILE>
Filename %D/users.anonymous
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
include /etc/radiator/eap.txt
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyPassword everwhat
EAPTLS_MaxFragmentSize 1024
EAPTLS_SecurityLevel 1
EAPTLS_Ciphers DEFAULT@SECLEVEL=1
EAPTLS_Protocols TLSv1, TLSv1.1, TLSv1.2
EAPAnonymous %0
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</Handler>
Any help or hints would be greatly appreciated.
Thank you!
-p
Pat Hirayama
Pronouns: he/him/his
Systems Engineer
IT | Systems Engineering
Fred Hutchinson Cancer Center
O 206.667.4856
[email protected]<mailto:[email protected]>
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
