Hello Bryce,
If you are using MSCHAPv2 inside EAP-TTLS, you are not allowed to
rewrite username since username field is part of password calculation.
Also if you are using MSHCAPv2, then NAS does not send clear text
password so Radiator is not able to log it.
Best Regards,
Sami
On 14/10/16 20:32, br...@truespeed.ca wrote:
Hello,
We are setting up test Wireless network so that our client radio will
authenticate against our Platypus database. The issue is that our
client radios are being rejected with a Bad Password message (We have
checked and the passwords are correct). But if we set up radius so
that the client radio authenticates against a flat file (WifiClients),
it works. One thing that I have noticed in our Failure log is that
the bad password isn’t shown. I have pasted my config below and
attached it along with part of our logfile and Failurelog.
We are using Radiator version 4.16
We are using Ubiquiti PowerBeams and NanoBeams in our test network.
LogDir /var/log/radius
DbDir /etc/radiator
AuthPort 1645,1812
AcctPort 1646,1813
Trace 4
#####################################################
## NAS Client IPs ##
#####################################################
##Test NAS for Wireless
<Client xxx.xx.x.xxx>
Secret xxxxx
Identifier AP
DupInterval 0
</Client>
#####################################################
## Authorization ##
#####################################################
#Authorization Using Flat File
<AuthBy FILE>
Identifier WifiClients
Filename /etc/radiator/WifiClients
</AuthBy>
#Authorization using Radius Application
<AuthBy FREERADIUSSQL>
Identifier CheckPLATYPUS
DBSource dbi:Sybase:Platypus
DBUsername xxxxxxx
DBAuth xxxxxxx
AuthCheck SELECT id,UserName,case Attribute when
'Cleartext-Password' then 'User-Password' else Attribute end,Value,op
FROM freeradius_service_radcheck WHERE Username = ? ORDER BY id
AuthReply SELECT id,UserName,Attribute,Value,op FROM
freeradius_service_radreply WHERE Username = ? ORDER BY id
AuthGroupCheck SELECT
freeradius_service_radgroupcheck.id,freeradius_service_radgroupcheck.GroupName,freeradius_service_radgroupcheck.Attribute,freeradius_service_radgroupcheck.Value,freeradius_service_radgroupcheck.op
FROM freeradius_service_radgroupcheck,freeradius_service_radusergroup
WHERE freeradius_service_radusergroup.Username = ? AND
freeradius_service_radusergroup.GroupName =
freeradius_service_radgroupcheck.GroupName ORDER BY
freeradius_service_radgroupcheck.id
AuthGroupReply SELECT
freeradius_service_radgroupreply.id,freeradius_service_radgroupreply.GroupName,freeradius_service_radgroupreply.Attribute,freeradius_service_radgroupreply.Value,freeradius_service_radgroupreply.op
FROM freeradius_service_radgroupreply,freeradius_service_radusergroup
WHERE freeradius_service_radusergroup.Username = ? AND
freeradius_service_radusergroup.GroupName =
freeradius_service_radgroupreply.GroupName ORDER BY
freeradius_service_radgroupreply.id
AcctStartQuery INSERT into freeradius_service_radacct (AcctSessionId,
AcctUniqueId, UserName, GroupName, Realm, NASIPAddress, NASPort,
NASPortType, AcctStartTime, AcctStopTime,AcctSessionTime,
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey)
VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', %0, null,
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
'%J', '1900-01-01 00:00:00', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Delay-Time}', '0', null)
AcctUpdateQuery UPDATE freeradius_service_radacct SET
FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime =
'%{Acct-Session-Time}', AcctInputOctets =
cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets})
as numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords}
* 4294967296) + %{Acct-Output-Octets}) as numeric(18,0)) WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0 AND
NASIPAddress= '%{NAS-IP-Address}'
AcctStopQuery UPDATE freeradius_service_radacct SET AcctStopTime =
'%J', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets})
as numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords}
* 4294967296) + %{Acct-Output-Octets}) as numeric(18,0)),
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0 AND
NASIPAddress = '%{NAS-IP-Address}'
</AuthBy>
#####################################################
## Access-Request - Handler Requests ##
#####################################################
#Authorize Clients by Billing System - Platypus - Wireless
<Handler Request-Type = Access-Request, Realm=myisp.ca,
Client-Identifier=AP, TunnelledByTTLS=1>
RewriteUsername s/^(.*)\\(.*)/$2\@$1/
RewriteUsername s/^(.*)\/(.*)/$2\@$1/
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/(.*)/$1\@dsl.myisp.ca/
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/\s+//g
PreProcessingHook sub { my $p = ${$_[0]};\
if ($p->code() eq 'Accounting-Request'){\
my $key = $p->get_attr('User-Name') . ',' \
. $p->get_attr('Acct-Session-Id') . ',' \
. $p->get_attr('NAS-IP-Address') . ',' \
. $p->get_attr('NAS-Port');\
my $hash = Digest::MD5::md5_hex($key);\
$p->add_attr('Acct-Unique-Session-Id', $hash);\
}}
AuthByPolicy ContinueUntilAccept
AuthBy CheckPLATYPUS
AuthLog Logger
Authlog Syslog
AuthLog AuthSyslog
</Handler>
#Authorize Clients by Flat File - ClientFile
<Handler Request-Type = Access-Request, Realm=myisp.ca>
AuthByPolicy ContinueUntilAccept
AuthBy WifiClients
AuthLog Logger
AuthLog Syslog
AuthLog AuthSyslog
</Handler>
## Outter Handler ##
<Handler Request-Type = Access-Request, Realm=some.other.realm>
<AuthBy FILE>
Filename /etc/radius/anuser
EAPType TTLS, TLS, MSCHAP-V2, PEAP
EAPTLS_CAFile
/usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
EAPAnonymous anonymous@some.other.realm
</AuthBy>
</Handler>
Thanks,
Bryce.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Sami Keski-Kasari <sam...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator