Hello Bryce,

If you are using MSCHAPv2 inside EAP-TTLS, you are not allowed to rewrite username since username field is part of password calculation.

Also if you are using MSHCAPv2, then NAS does not send clear text password so Radiator is not able to log it.

Best Regards,

Sami


On 14/10/16 20:32, br...@truespeed.ca wrote:

Hello,

We are setting up test Wireless network so that our client radio will authenticate against our Platypus database. The issue is that our client radios are being rejected with a Bad Password message (We have checked and the passwords are correct). But if we set up radius so that the client radio authenticates against a flat file (WifiClients), it works. One thing that I have noticed in our Failure log is that the bad password isn’t shown. I have pasted my config below and attached it along with part of our logfile and Failurelog.

We are using Radiator version 4.16

We are using Ubiquiti PowerBeams and NanoBeams in our test network.

LogDir                   /var/log/radius

DbDir                     /etc/radiator

AuthPort 1645,1812

AcctPort 1646,1813

Trace                     4

#####################################################

##                NAS Client IPs                   ##

#####################################################

##Test NAS for Wireless

<Client xxx.xx.x.xxx>

                Secret xxxxx

                Identifier AP

                DupInterval 0

</Client>

#####################################################

## Authorization                    ##

#####################################################

#Authorization Using Flat File

<AuthBy FILE>

        Identifier      WifiClients

        Filename /etc/radiator/WifiClients

</AuthBy>

#Authorization using Radius Application

<AuthBy FREERADIUSSQL>

                Identifier CheckPLATYPUS

                DBSource          dbi:Sybase:Platypus

                DBUsername        xxxxxxx

                DBAuth            xxxxxxx

AuthCheck SELECT id,UserName,case Attribute when 'Cleartext-Password' then 'User-Password' else Attribute end,Value,op FROM freeradius_service_radcheck WHERE Username = ? ORDER BY id

AuthReply SELECT id,UserName,Attribute,Value,op FROM freeradius_service_radreply WHERE Username = ? ORDER BY id

AuthGroupCheck SELECT freeradius_service_radgroupcheck.id,freeradius_service_radgroupcheck.GroupName,freeradius_service_radgroupcheck.Attribute,freeradius_service_radgroupcheck.Value,freeradius_service_radgroupcheck.op FROM freeradius_service_radgroupcheck,freeradius_service_radusergroup WHERE freeradius_service_radusergroup.Username = ? AND freeradius_service_radusergroup.GroupName = freeradius_service_radgroupcheck.GroupName ORDER BY freeradius_service_radgroupcheck.id

AuthGroupReply SELECT freeradius_service_radgroupreply.id,freeradius_service_radgroupreply.GroupName,freeradius_service_radgroupreply.Attribute,freeradius_service_radgroupreply.Value,freeradius_service_radgroupreply.op FROM freeradius_service_radgroupreply,freeradius_service_radusergroup WHERE freeradius_service_radusergroup.Username = ? AND freeradius_service_radusergroup.GroupName = freeradius_service_radgroupreply.GroupName ORDER BY freeradius_service_radgroupreply.id

AcctStartQuery INSERT into freeradius_service_radacct (AcctSessionId, AcctUniqueId, UserName, GroupName, Realm, NASIPAddress, NASPort, NASPortType, AcctStartTime, AcctStopTime,AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', %0, null, '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%J', '1900-01-01 00:00:00', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0', null)

AcctUpdateQuery UPDATE freeradius_service_radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets}) as numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords} * 4294967296) + %{Acct-Output-Octets}) as numeric(18,0)) WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0 AND NASIPAddress= '%{NAS-IP-Address}'

AcctStopQuery UPDATE freeradius_service_radacct SET AcctStopTime = '%J', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets}) as numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords} * 4294967296) + %{Acct-Output-Octets}) as numeric(18,0)), AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0 AND NASIPAddress = '%{NAS-IP-Address}'

</AuthBy>

#####################################################

##         Access-Request - Handler Requests       ##

#####################################################

#Authorize Clients by Billing System - Platypus - Wireless

<Handler Request-Type = Access-Request, Realm=myisp.ca, Client-Identifier=AP, TunnelledByTTLS=1>

RewriteUsername s/^(.*)\\(.*)/$2\@$1/

RewriteUsername s/^(.*)\/(.*)/$2\@$1/

RewriteUsername s/^([^@]+).*/$1/

RewriteUsername s/(.*)/$1\@dsl.myisp.ca/

RewriteUsername tr/A-Z/a-z/

RewriteUsername s/\s+//g

PreProcessingHook sub { my $p = ${$_[0]};\

           if ($p->code() eq 'Accounting-Request'){\

           my $key = $p->get_attr('User-Name') . ',' \

                 . $p->get_attr('Acct-Session-Id') . ',' \

                 . $p->get_attr('NAS-IP-Address') . ',' \

                 . $p->get_attr('NAS-Port');\

           my $hash = Digest::MD5::md5_hex($key);\

$p->add_attr('Acct-Unique-Session-Id', $hash);\

           }}

AuthByPolicy ContinueUntilAccept

AuthBy CheckPLATYPUS

AuthLog Logger

Authlog Syslog

AuthLog AuthSyslog

</Handler>

#Authorize Clients by Flat File - ClientFile

<Handler Request-Type = Access-Request, Realm=myisp.ca>

AuthByPolicy ContinueUntilAccept

AuthBy WifiClients

AuthLog Logger

AuthLog Syslog

AuthLog AuthSyslog

</Handler>

##  Outter Handler  ##

<Handler Request-Type = Access-Request, Realm=some.other.realm>

       <AuthBy FILE>

                Filename /etc/radius/anuser

                EAPType TTLS, TLS, MSCHAP-V2, PEAP

EAPTLS_CAFile /usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem

EAPTLS_CertificateFile /usr/share/doc/packages/Radiator/certificates/cert-srv.pem

                EAPTLS_CertificateType PEM

EAPTLS_PrivateKeyFile /usr/share/doc/packages/Radiator/certificates/cert-srv.pem

                EAPTLS_PrivateKeyPassword whatever

                EAPTLS_MaxFragmentSize 1000

                AutoMPPEKeys

                EAPAnonymous anonymous@some.other.realm

        </AuthBy>

</Handler>

Thanks,

Bryce.



_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

--
Sami Keski-Kasari <sam...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to