That is correct. I had an additional stanza for a router ...when I commented out all but the DEFAULT and used the DEFAULT secret, it worked.
Thanks! Chad On Thu, Feb 20, 2014 at 4:45 AM, Sami Keski-Kasari <[email protected]>wrote: > Hello Chad, > > In standard Radius protocol shared secret is used to encrypt > User-Password field. Radiator will automatically decrypt User-Password > with shared secret. > > I think that you should first check that you have same shared secret > both in your client clause and in fortigate. > > If there is some password encryption options for password in fortigate, > please try to disable them until you get authentication working. > > Best Regards, > Sami > > On 02/20/2014 12:42 AM, Chad Roseburg wrote: > > Thanks Heikki ~ there is an option to change the authentication scheme. I > > changed it to PAP as you suggest. > > > > Now it appears as though the fortigate is sending the password encrypted > > ...Ex: > > > > Test credentials: > > user: 29030pretend > > pass: gulash > > > > Server output excerpt: > > DEBUG: SIP2 send '2300020140219 141804AO|AA29030pretend|ACterminal > > password|AD�$.%�6Է!H�' > > > > In looking at the docs, I see several encryption/decrypt options ...what > do > > I include in my config to allow Radiator to decrypt > > this password? > > > > Thank you! > > > > Chad > > > > > > > > > > > > On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen <[email protected]> > wrote: > > > >> On 02/15/2014 02:42 AM, Chad Roseburg wrote: > >>> I have an evaluation version of Radiator 4.12.1. I need to set up a web > >>> captive portal on a Fortigate 60D that uses SIP2 authentication. > >>> > >>> The SIP2 part works ...tests successful: > >> > >> Hello Chad, > >> > >> radpwtst uses PAP with the options you have specified and sends > >> User-Password which can be then used with AuthBy SIP2. > >> > >> However, it looks like the Fortigate is trying to do MS-CHAP instead of > >> PAP. With MS-CHAP there is not password, only a challenge and response, > >> and for this reason it does not work. > >> > >> Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is > >> tried. There should be a MS-CHAP-Response too with the attributes, but > >> maybe you have left that out. These two attributes are used by MS-CHAP. > >> > >> See if there's 'Authentication Scheme', I think this is the option in > >> Fortigate, or something similar that has been set to MS-CHAP or defaults > >> to MS-CHAP. There should be an option to switch it to PAP. > >> > >> Please let us know if the above helps. > >> > >> Thanks, > >> Heikki > >> > >> > >>> Ex. > >>> perl radpwtst -noacct -user 29030pretend -password secrets > >>> sending Access-Request... > >>> OK > >>> > >>> On RADIUS server I see: > >>> ------------------------------------- > >>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 > >>> 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' > >>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 > >>> 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' > >>> Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : > 29030pretend > >>> [29030pretend] > >>> Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT > >>> > >>> But the second part is that I need to connect the fortigate to the > >>> RADIUS server. I add the fortigate as a client in the config using IP > >>> and a 'Secret' > >>> > >>> Here's some edited output when I test from the fortigate using the same > >>> creds: > >>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 > >>> 162344AONCRL|AA29030pretend|ACterminal password|AD|' > >>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 > >>> 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' > >>> Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: > >>> 29030002429839 [29030002429839] > >>> Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad > password > >>> > >>> It looks like it's not sending the password. Also, at the top of the > >>> transmission there's mention of a MS-CHAP-Challenge: > >>> Attributes: > >>> NAS-Identifier = "Fortinet_RTR" > >>> MS-CHAP-Challenge = > >>> b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M > >>> Acct-Session-Id = "00000021" > >>> Connect-Info = "test" > >>> Fortinet-Vdom-Name = "root" > >>> > >>> This is the Client config: > >>> <Client 192.x.x.99> > >>> Secret secretspass > >>> DupInterval 0 > >>> </Client> > >>> > >>> Thanks for any advice! > >>> > >>> -- > >>> Chad > >>> > >>> > >>> _______________________________________________ > >>> radiator mailing list > >>> [email protected] > >>> http://www.open.com.au/mailman/listinfo/radiator > >>> > >> > >> > >> -- > >> Heikki Vatiainen <[email protected]> > >> > >> Radiator: the most portable, flexible and configurable RADIUS server > >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > >> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > >> NetWare etc. > >> _______________________________________________ > >> radiator mailing list > >> [email protected] > >> http://www.open.com.au/mailman/listinfo/radiator > >> > > > > > > > > > > > > _______________________________________________ > > radiator mailing list > > [email protected] > > http://www.open.com.au/mailman/listinfo/radiator > > > > > -- > Sami Keski-Kasari <[email protected]> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Chad Roseburg Automation Dept. North Central Regional Library
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
