Re: [RADIATOR] (P)EAP flow
On 02/17/2014 05:16 PM, Garry Shtern wrote: Would it make sense not modify Radiator behavior to only send reject if the OpenSSL returns mismatch rather than unexpected record? Then there would need to be a correct request coming in later that allows the authentication to continue? That is, if the request is not rejected and can not be challenged, then the option would be to wait for the real request? This way if there is a packet loss or intermittent client issues, the client doesn't get kicked off the net. I would say it might be a better idea to see how to minimise the number of unexpected messages. Would that be an option to explore? Thanks, Heikki Thanks. Sent with Good (www.good.com) -Original Message- *From: *Heikki Vatiainen [h...@open.com.au mailto:h...@open.com.au] *Sent: *Monday, February 17, 2014 02:22 PM Coordinated Universal Time *To: *radiator@open.com.au *Subject: *Re: [RADIATOR] (P)EAP flow On 02/14/2014 07:17 PM, Garry Shtern wrote: I have noticed that if Radiator receives a midstream EAP exchange message, it responds back with a CHALLENGE. I would expect something like this with PEAP. ERR: EAP TLS error: -1, 1, 8465, 13062: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record Then an Access-Reject is sent back to the client. I am trying to understand what exactly happens at this point. Does the Supplicant respond to the challenge with a brand new exchange or just retransmits whatever packet it sent before? If it’s the latter, is there any way to force a supplicant to re-start the negotiation, perhaps with a crafted CHALLENGE? The supplicant probably restarts, but that's only because it got an unexpected response. I most cases I would expect that a midstream EAP message results as a some sort of error on Radiator side. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Cisco NX-OS TACACS+ problems
On 02/19/2014 04:40 PM, Caporossi, Steve G. wrote: We upgraded to version 5.2(9) last weekend and our problem appears to be solved. Thanks for keeping this on your radar. Good to hear. Thanks for letting us know the problem was solved. Maybe NX-OS devices Alexander mentioned are still using a version of NX-OS that does not have the patch? A quick look tells there are not as many different software trains as there are/were for IOS, but there are plenty of minor releases still. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] (P)EAP flow
On 02/19/2014 04:48 PM, Garry Shtern wrote: Actually, I was thinking perhaps if the Radiator is getting unexpected packet from the supplicant to challenge the supplicant to restart the negotiation. If that is possible, then the reject would only be sent if Radiator got all the packets during the exchange but OpenSSL rejected this because of certificate, negotiation or handshake errors. Hmm, I don't think restarting an ongoing EAP authentication is possible. Also, the incoming EAP messages are fed to OpenSSL as they come, not collected together first, and the authentication continues based on what OpenSSL returns. In other words, the TLS part, for example PEAP phase 1, is mostly the EAP supplicant talking to OpenSSL libraries and Radiator sending appropriate RADIUS messages based on what the SSL libraries return. Thanks, Heikki As for minimizing of unexpected messages, I am definitely with you on this one. -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Wednesday, February 19, 2014 9:35 AM To: Garry Shtern; 'radiator@open.com.au' Subject: Re: [RADIATOR] (P)EAP flow On 02/17/2014 05:16 PM, Garry Shtern wrote: Would it make sense not modify Radiator behavior to only send reject if the OpenSSL returns mismatch rather than unexpected record? Then there would need to be a correct request coming in later that allows the authentication to continue? That is, if the request is not rejected and can not be challenged, then the option would be to wait for the real request? This way if there is a packet loss or intermittent client issues, the client doesn't get kicked off the net. I would say it might be a better idea to see how to minimise the number of unexpected messages. Would that be an option to explore? Thanks, Heikki Thanks. Sent with Good (www.good.com) -Original Message- *From: *Heikki Vatiainen [h...@open.com.au mailto:h...@open.com.au] *Sent: *Monday, February 17, 2014 02:22 PM Coordinated Universal Time *To: *radiator@open.com.au *Subject: *Re: [RADIATOR] (P)EAP flow On 02/14/2014 07:17 PM, Garry Shtern wrote: I have noticed that if Radiator receives a midstream EAP exchange message, it responds back with a CHALLENGE. I would expect something like this with PEAP. ERR: EAP TLS error: -1, 1, 8465, 13062: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record Then an Access-Reject is sent back to the client. I am trying to understand what exactly happens at this point. Does the Supplicant respond to the challenge with a brand new exchange or just retransmits whatever packet it sent before? If it’s the latter, is there any way to force a supplicant to re-start the negotiation, perhaps with a crafted CHALLENGE? The supplicant probably restarts, but that's only because it got an unexpected response. I most cases I would expect that a midstream EAP message results as a some sort of error on Radiator side. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Delayed Stop Record and Active Sessions
Hello, How can fix an issue where the DeleteQuery statement in my Sessions DB config deletes the row for a new active session because of a delayed Stop record? Scenario: 1. A session is up (and row entered in the database for active session) 2. The session is dropped because of a premature disconnection (eg. modem line cable unplugged) but Stop record is delayed. 3. New session is created after modem line cable is restored (and after DeleteQuery statement removes database row for previous session) 4. The delayed Stop record finally comes in - the DeleteQuery statement now removes the row for the active session (An unwanted behavior). How do I compensate for the delayed Stop record that is causing active session database records to be deleted? Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] User-Password vs Cleartext-Password
I’m running Radiator in AuthBy FREERADIUSSQL mode off of a FreeRADIUS sql user database. FreeRADIUS authenticates users when the Cleartext-Password attribute is used for the user password, however when Radiator authenticates against the same database, I get: Access Rejected for bob: Check item Cleartext-Password expression ‘mypass’ does not match ‘’ in request If I change the default to return attribute to User-Password instead of Cleartext-Password, the user can authenticate. I’m using PAP and if I print the password from the request (%P) it matches the one stored in the database. Thanks for your help, Grant Spradling ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] User-Password vs Cleartext-Password
Because you are using a freeradius-ism Cleartext-Password is an internal attribute of freeradius. The real attribute in the request is User-Password ... Use that on other servers. Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP TLS issues routines:SSL3_READ_BYTES:tlsv1 alert access denied
On 02/19/2014 10:08 PM, Jeffrey Smith wrote: Wed Feb 19 10:59:58 2014: ERR: EAP PEAP TLS read failed: 13601: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Here's one more possibility from the list archives: http://www.open.com.au/pipermail/radiator/2004-August/009982.html I agree with Alan that the AP client probably does not care but the other client does. In addition to what has already been suggested, I'd check the Radiator certificate to see the Extended Key Usage (EKU) is there. http://support.microsoft.com/kb/814394 Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Delayed Stop Record and Active Sessions
On 02/19/2014 09:22 PM, rohan.henry @cwjamaica.com wrote: How can fix an issue where the DeleteQuery statement in my Sessions DB config deletes the row for a new active session because of a delayed Stop record? A quick idea: Do you think the DeleteQuery could be changed to include Acct-Session-Id in the query. That is, the NAS-Port, etc, and Acct-Session-Id must match the existing entry. If the session has been replaced, the delete will not match any rows because the new entry on the row it would otherwise match has a different session id that belongs to the new session. Please let us know how this works. Thanks, Heikki Scenario: 1. A session is up (and row entered in the database for active session) 2. The session is dropped because of a premature disconnection (eg. modem line cable unplugged) but Stop record is delayed. 3. New session is created after modem line cable is restored (and after DeleteQuery statement removes database row for previous session) 4. The delayed Stop record finally comes in - the DeleteQuery statement now removes the row for the active session (An unwanted behavior). How do I compensate for the delayed Stop record that is causing active session database records to be deleted? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP TLS issues routines:SSL3_READ_BYTES:tlsv1 alert access denied
Heikki, Thanks for the links. I did come across that in my Googling. My certificate reports: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication It doesn't mention the OID specifically just the text as given. The cert is from RapidSSL as an aside. Other clients treat this differently as well. An android device will successfully auth according to the debug logs but never connects to the AP as it seems to timeout. And a Mac OSX device just authenticates successfully over and over and over again, per the debug logs, without connecting. Its really bothersome that all the devices aren't behaving the same way, since I have the feeling if I can find a way to fix it for one the others will continue to fail. Given that, I'm at a loss on how to continue to debug this issue. Do you have any other suggestions or can I provide any more logs? Alan, To make sure I'm on the same page with you, I'm guessing by supplicant you mean the wireless client (in this case a Windows 7 laptop)? There's no configuration that pops up immediately on that one. I tell it to connect to the network and it pops up a username / password dialog no other options to set. I'm under the impression that no certs need to be installed on clients for this to function correctly, is that the case? Thanks, Jeff Smith Network Engineer Neonova Network Services (919) 460-3330 d...@neonova.net On Wed, Feb 19, 2014 at 3:32 PM, Heikki Vatiainen h...@open.com.au wrote: On 02/19/2014 10:08 PM, Jeffrey Smith wrote: Wed Feb 19 10:59:58 2014: ERR: EAP PEAP TLS read failed: 13601: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Here's one more possibility from the list archives: http://www.open.com.au/pipermail/radiator/2004-August/009982.html I agree with Alan that the AP client probably does not care but the other client does. In addition to what has already been suggested, I'd check the Radiator certificate to see the Extended Key Usage (EKU) is there. http://support.microsoft.com/kb/814394 Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP TLS issues routines:SSL3_READ_BYTES:tlsv1 alert access denied
Hello Jeff, I think that Android and MACOSX problems will be solved if you add configuration parameter AutoMPPEKeys to outer handler. It is needed so that encryption keys to WLAN connection can be calculated. In windows case: Because client is sending that alert message it is hard to say exact reason without seeing your client configuration. Do you have your CA certificate installed in your windows machine? You probably need to go to the wireless settings and check what CA certificates are accepted for your connection. Best Regards, Sami On 02/19/2014 11:02 PM, Jeffrey Smith wrote: Heikki, Thanks for the links. I did come across that in my Googling. My certificate reports: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication It doesn't mention the OID specifically just the text as given. The cert is from RapidSSL as an aside. Other clients treat this differently as well. An android device will successfully auth according to the debug logs but never connects to the AP as it seems to timeout. And a Mac OSX device just authenticates successfully over and over and over again, per the debug logs, without connecting. Its really bothersome that all the devices aren't behaving the same way, since I have the feeling if I can find a way to fix it for one the others will continue to fail. Given that, I'm at a loss on how to continue to debug this issue. Do you have any other suggestions or can I provide any more logs? Alan, To make sure I'm on the same page with you, I'm guessing by supplicant you mean the wireless client (in this case a Windows 7 laptop)? There's no configuration that pops up immediately on that one. I tell it to connect to the network and it pops up a username / password dialog no other options to set. I'm under the impression that no certs need to be installed on clients for this to function correctly, is that the case? Thanks, Jeff Smith Network Engineer Neonova Network Services (919) 460-3330 d...@neonova.net On Wed, Feb 19, 2014 at 3:32 PM, Heikki Vatiainen h...@open.com.au wrote: On 02/19/2014 10:08 PM, Jeffrey Smith wrote: Wed Feb 19 10:59:58 2014: ERR: EAP PEAP TLS read failed: 13601: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Here's one more possibility from the list archives: http://www.open.com.au/pipermail/radiator/2004-August/009982.html I agree with Alan that the AP client probably does not care but the other client does. In addition to what has already been suggested, I'd check the Radiator certificate to see the Extended Key Usage (EKU) is there. http://support.microsoft.com/kb/814394 Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Sami Keski-Kasari sam...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP TLS issues routines:SSL3_READ_BYTES:tlsv1 alert access denied
Sami, Thanks for the AutoMPPEKeys, that did in fact fix OSX and Android. I'm hoping that the cert doesn't need to be installed on the windows clients as this is for a widespread WISP solution for end users. I did find one other oddity that may or may not also be certificate related. For ChromeOS it gets back an EAP MSCHAP-V2 Authentication failure for the user: Wed Feb 19 13:12:28 2014: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier '' Wed Feb 19 13:12:28 2014: DEBUG: internal Deleting session for testu...@neonova.net, 137.118.48.15, 0 Wed Feb 19 13:12:28 2014: DEBUG: Handling with Radius::AuthMassGeneric: Wed Feb 19 13:12:28 2014: DEBUG: Handling with EAP: code 2, 20, 70, 26 Wed Feb 19 13:12:28 2014: DEBUG: Response type 26 Wed Feb 19 13:12:28 2014: DEBUG: Reading users file /usr/local/raddb/users/ppp/neonova.net Wed Feb 19 13:12:28 2014: DEBUG: Radius::AuthMassGeneric looks for match with testu...@neonova.net [testu...@neonova.net] Wed Feb 19 13:12:28 2014: DEBUG: Radius::AuthMassGeneric ACCEPT: : testu...@neonova.net [testu...@neonova.net] Wed Feb 19 13:12:28 2014: DEBUG: EAP Failure, elapsed time 0.115332 Wed Feb 19 13:12:28 2014: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure Wed Feb 19 13:12:28 2014: DEBUG: AuthBy MassGeneric result: REJECT, EAP MSCHAP-V2 Authentication failure Wed Feb 19 13:12:28 2014: INFO: Access rejected for d...@neonova.net: EAP MSCHAP-V2 Authentication failure But I'm not seeing what is causing the Auth Failure. I'm at Trace level 6. Increasing that number doesn't appear to garner anymore data. Thanks, Jeff Smith Network Engineer Neonova Network Services (919) 460-3330 d...@neonova.net On Wed, Feb 19, 2014 at 4:14 PM, Sami Keski-Kasari sam...@open.com.auwrote: Hello Jeff, I think that Android and MACOSX problems will be solved if you add configuration parameter AutoMPPEKeys to outer handler. It is needed so that encryption keys to WLAN connection can be calculated. In windows case: Because client is sending that alert message it is hard to say exact reason without seeing your client configuration. Do you have your CA certificate installed in your windows machine? You probably need to go to the wireless settings and check what CA certificates are accepted for your connection. Best Regards, Sami On 02/19/2014 11:02 PM, Jeffrey Smith wrote: Heikki, Thanks for the links. I did come across that in my Googling. My certificate reports: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication It doesn't mention the OID specifically just the text as given. The cert is from RapidSSL as an aside. Other clients treat this differently as well. An android device will successfully auth according to the debug logs but never connects to the AP as it seems to timeout. And a Mac OSX device just authenticates successfully over and over and over again, per the debug logs, without connecting. Its really bothersome that all the devices aren't behaving the same way, since I have the feeling if I can find a way to fix it for one the others will continue to fail. Given that, I'm at a loss on how to continue to debug this issue. Do you have any other suggestions or can I provide any more logs? Alan, To make sure I'm on the same page with you, I'm guessing by supplicant you mean the wireless client (in this case a Windows 7 laptop)? There's no configuration that pops up immediately on that one. I tell it to connect to the network and it pops up a username / password dialog no other options to set. I'm under the impression that no certs need to be installed on clients for this to function correctly, is that the case? Thanks, Jeff Smith Network Engineer Neonova Network Services (919) 460-3330 d...@neonova.net On Wed, Feb 19, 2014 at 3:32 PM, Heikki Vatiainen h...@open.com.au wrote: On 02/19/2014 10:08 PM, Jeffrey Smith wrote: Wed Feb 19 10:59:58 2014: ERR: EAP PEAP TLS read failed: 13601: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Here's one more possibility from the list archives: http://www.open.com.au/pipermail/radiator/2004-August/009982.html I agree with Alan that the AP client probably does not care but the other client does. In addition to what has already been suggested, I'd check the Radiator certificate to see the Extended Key Usage (EKU) is there. http://support.microsoft.com/kb/814394 Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list
Re: [RADIATOR] SIP2 + Fortigate setup
Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest. Now it appears as though the fortigate is sending the password encrypted ...Ex: Test credentials: user: 29030pretend pass: gulash Server output excerpt: DEBUG: SIP2 send '2300020140219141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�' In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt this password? Thank you! Chad On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen h...@open.com.au wrote: On 02/15/2014 02:42 AM, Chad Roseburg wrote: I have an evaluation version of Radiator 4.12.1. I need to set up a web captive portal on a Fortigate 60D that uses SIP2 authentication. The SIP2 part works ...tests successful: Hello Chad, radpwtst uses PAP with the options you have specified and sends User-Password which can be then used with AuthBy SIP2. However, it looks like the Fortigate is trying to do MS-CHAP instead of PAP. With MS-CHAP there is not password, only a challenge and response, and for this reason it does not work. Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is tried. There should be a MS-CHAP-Response too with the attributes, but maybe you have left that out. These two attributes are used by MS-CHAP. See if there's 'Authentication Scheme', I think this is the option in Fortigate, or something similar that has been set to MS-CHAP or defaults to MS-CHAP. There should be an option to switch it to PAP. Please let us know if the above helps. Thanks, Heikki Ex. perl radpwtst -noacct -user 29030pretend -password secrets sending Access-Request... OK On RADIUS server I see: - Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend [29030pretend] Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT But the second part is that I need to connect the fortigate to the RADIUS server. I add the fortigate as a client in the config using IP and a 'Secret' Here's some edited output when I test from the fortigate using the same creds: Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 162344AONCRL|AA29030pretend|ACterminal password|AD|' Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: 29030002429839 [29030002429839] Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password It looks like it's not sending the password. Also, at the top of the transmission there's mention of a MS-CHAP-Challenge: Attributes: NAS-Identifier = Fortinet_RTR MS-CHAP-Challenge = b1372381464165145.9229163j129220M Acct-Session-Id = 0021 Connect-Info = test Fortinet-Vdom-Name = root This is the Client config: Client 192.x.x.99 Secret secretspass DupInterval 0 /Client Thanks for any advice! -- Chad ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Chad Roseburg Automation Dept. North Central Regional Library ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SIP2 + Fortigate setup
Hello Chad - You don’t need to do anything special - Radiator will process the password automatically. If you are using a flat file for your user records you should add an entry like this: # flat file user definitions 29030pretend User-Password = gulash hope that helps regards Hugh On 20 Feb 2014, at 09:42, Chad Roseburg croseb...@ncrl.org wrote: Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest. Now it appears as though the fortigate is sending the password encrypted ...Ex: Test credentials: user: 29030pretend pass: gulash Server output excerpt: DEBUG: SIP2 send '2300020140219141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�' In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt this password? Thank you! Chad On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen h...@open.com.au wrote: On 02/15/2014 02:42 AM, Chad Roseburg wrote: I have an evaluation version of Radiator 4.12.1. I need to set up a web captive portal on a Fortigate 60D that uses SIP2 authentication. The SIP2 part works ...tests successful: Hello Chad, radpwtst uses PAP with the options you have specified and sends User-Password which can be then used with AuthBy SIP2. However, it looks like the Fortigate is trying to do MS-CHAP instead of PAP. With MS-CHAP there is not password, only a challenge and response, and for this reason it does not work. Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is tried. There should be a MS-CHAP-Response too with the attributes, but maybe you have left that out. These two attributes are used by MS-CHAP. See if there's 'Authentication Scheme', I think this is the option in Fortigate, or something similar that has been set to MS-CHAP or defaults to MS-CHAP. There should be an option to switch it to PAP. Please let us know if the above helps. Thanks, Heikki Ex. perl radpwtst -noacct -user 29030pretend -password secrets sending Access-Request... OK On RADIUS server I see: - Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend [29030pretend] Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT But the second part is that I need to connect the fortigate to the RADIUS server. I add the fortigate as a client in the config using IP and a 'Secret' Here's some edited output when I test from the fortigate using the same creds: Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 162344AONCRL|AA29030pretend|ACterminal password|AD|' Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: 29030002429839 [29030002429839] Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password It looks like it's not sending the password. Also, at the top of the transmission there's mention of a MS-CHAP-Challenge: Attributes: NAS-Identifier = Fortinet_RTR MS-CHAP-Challenge = b1372381464165145.9229163j129220M Acct-Session-Id = 0021 Connect-Info = test Fortinet-Vdom-Name = root This is the Client config: Client 192.x.x.99 Secret secretspass DupInterval 0 /Client Thanks for any advice! -- Chad ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Chad Roseburg Automation Dept. North Central Regional Library ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,