Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

Hugh Irvine Wed, 23 Jul 2014 18:44:30 -0700

Hello Chris -

OK - this is what I had imagined.


What I would suggest is running Microsoft NPS on each domain, then just proxy 
the inner requests to the corresponding NPS.

In this case the inner requests are just straight MSCHAP-V2.

Something like this:


Foreground
LogStdout
LogDir /etc/radiator/log/
DbDir /etc/radiator
PidFile %L/radiusd.pid
DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus
Trace 4
AuthPort 1812
AcctPort 1813

<Client 192.168.125.20>
        Secret xxxxxxxxxxx
        Identifier Ruckus
</Client>

<Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/>
        <AuthBy RADIUS>
                StripFromRequest ConvertedFromEAPMSCHAPV2
                Host ….
                Secret ….
                AuthPort …..
                AcctPort …..
                AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
Tunnel-Private-Group-ID=52
        </AuthBy>
</Handler>

<Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/>
        <AuthBy RADIUS>
                StripFromRequest ConvertedFromEAPMSCHAPV2
                Host …..
                Secret ….
                AuthPort …..
                AcctPort …..
                AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
Tunnel-Private-Group-ID=52
        </AuthBy>
</Handler>

# this proxies to the machine that can then proxy to OTHERSITE NPS
# strongly suggest you don’t use Synchronous

<Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/>
        <AuthBy RADIUS>
                StripFromRequest ConvertedFromEAPMSCHAPV2
                Host 192.168.125.236
                Secret xxxxxxxxx
                AuthPort 1812
                AcctPort 1813
                Retries 2
                AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
Tunnel-Private-Group-ID=nn
        </AuthBy>
</Handler>

<Handler TunnelledByPEAP=1>
        <AuthBy FILE>
                EAPType MSCHAP-V2
                EAP_PEAP_MSCHAP_Convert 1
        </AuthBy>
</Handler>

<Handler Client-Identifier = Ruckus>
            <AuthBy FILE>
              CachePasswordExpiry 3600
              Filename %D/users_anon
              EAPType PEAP,TLS,TTLS
              EAPTLS_PrivateKeyPassword whatever
              EAPTLS_CAFile /etc/radiator/certs/ca.pem
              EAPTLS_CertificateFile /etc/radiator/certs/server.pem
              EAPTLS_CertificateType PEM
              EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem
              EAPTLS_PEAPVersion 0
              EAPTTLS_NoAckRequired
              UsernameMatchesWithoutRealm
              AutoMPPEKeys
            </AuthBy>
</Handler>


regards

Hugh


On 24 Jul 2014, at 11:08, Christopher Chance <[email protected]> wrote:

> 2 domains are on 2 seperate vlans... for authentication i'm filtering it by 
> the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM 
> locally, if the second domain forward to secondary radius that has an 
> interface on domain2 and is part of domain2's domain.
> 
> This is being done so that my wireless in my office can accept both logins 
> and sort users to the correct vlan based on their credentials, if a user logs 
> in with Domain1\user then they get sent to Vlan 2 if they get on as 
> domain2\user they login to vlan3 for instance.
> 
> we have an office with different companies but want to simplify our wireless 
> (atleast at the user level) so that it is 1 wireless network via wpa2 
> enterprise (802.1x eaps)... hence how what i'm trying to do above.
> 
> Originally i was going to have the main radius server just filter by domains 
> and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt 
> work with mschapv2 i had to go the ntlm way. 
> 
> And yes the linux version is what we're using as we plan to use the radius 
> for some other things too but windows was giving us some headaches, but thats 
> a different story for a different day.
> 
> hope i've explained :S
> 
> Chris
> ________________________________________
> From: Hugh Irvine [[email protected]]
> Sent: Wednesday, July 23, 2014 8:07 PM
> To: Christopher Chance
> Cc: [email protected]
> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
> 
> Hello Chris -
> 
> Could you please explain in detail what exactly you are trying to accomplish?
> 
> It sounds like you are authenticating against Active Directory but you are 
> running Radiator on Linux?
> 
> Can you tell us how you differentiate between the 2 domains?
> 
> We can make better suggestions if we clearly understand the problem.
> 
> regards
> 
> Hugh
> 
> 
> On 24 Jul 2014, at 03:30, Christopher Chance <[email protected]> wrote:
> 
>> Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM 
>> authentication….
>> 
>> The issue is we have 2 domains on our network and want to be able to have 
>> the single 802.1x authentication, sorted by domain authenticate and return 
>> the correct vlan for the user... I couldn’t figure a way out to do it with 
>> LDAP2 as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever 
>> reason… So NTLM I went to, and it works but that meant I had to join the 
>> linux server to the domain, and only 1 domain per server.
>> 
>> To solve this I followed someone’s recommendation to have a second radius 
>> server (vm), that’s on the other domain that just checks domains and the 
>> first server will proxy the request to it… simple enough…
>> 
>> The issue is it doesn’t work, the secondary radius sends the access-accept 
>> but for some reason the main server doesn’t seem to handle the 
>> challenge/accept process correctly anymore and the signin process just hangs 
>> on the wireless…
>> 
>> So now I’m 110% lost and don’t know what else could be the issue…
>> 
>> If you can take a look at this and help me out it would be greatly 
>> appreciated, as to where I’m going wrong.
>> 
>> Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya
>> Login that’s hanging being processed from remote Radius: 
>> http://pastebin.com/Lj3MCset
>> 
>> Config is http://pastebin.com/UCr2vMdk
>> 
>> Thanks,
>> Chris
>> _______________________________________________
>> radiator mailing list
>> [email protected]
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> [email protected]
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 


--

Hugh Irvine
[email protected]

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

Reply via email to