[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
Hi all, I've been using RADIATOR for 4 or 5 years using EAP-TTLS PAP against an LDAP database. We now have an Active Directory that is synced with LDAP, so all users and their passwords are now in AD. With the LDAP database, we had to configure every client manually (these are student computers we don't own) for wireless to work. This could sometimes take 20-30 minutes with Apple clients and involved installing SecureW2 on Windows. My goal now is to transition to using AuthBy NTLM with PEAP, TTLS, and MSCHAP-V2 in place of AuthBy LDAP2 so users can just type their username and password when prompted, while maintaining backwards compatibility with the EAP-TTLS PAP machines that were already configured. The config I have does do this, but it also allows domain computers to authenticate as computers; I don't want this. So it comes down to a few questions: 1. How do I allow only directory users to authenticate, while preventing machine accounts from being authenticated? 2. Will the eap_acct_username.pl prevent users from showing up as 'anonymous' in my accounting requests for all allowed types of auth? (PEAP, TTLS, MSCHAP-V2) 3. Will disabling machine authentication have any affect on SSO so that a user can login to a domain computer and automatically authenticate to the wifi (assuming the proper GPOs are in place). Here's my configuration: ## ## # Radiator Configuration # # ## ## Updated 03/26/14 mbr ## Note this file is derived from pre-testing version provided by mrodrigues #This handler catches all Accounting-Request packets. #We only log Start and Stop accounting packets as Alive #packets are basically useless for our purposes. If you #would like to grab these packets, delete the HandleAcctStatusTypes #directive below, or edit as obviously necessary. #Handler Request-Type=Accounting-Request #AuthBy SQL #DBSourcedbi:mysql:radius:127.0.0.1:3306 #DBUsername radius #DBAuth xxx #HandleAcctStatusTypes Start,Stop # This statement inserts the accounting information into the SQL databasee. #AcctSQLStatement insert into ggse_public values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL); # This will log messages from within the SQL insert statement #Log FILE #Filename debug.config #/Log #/AuthBy #/Handler #below was added on 2/4/13 to catch ALL iterations of logins that are BlackListed. RewriteUsername tr/A-Z/a-z/ #These are the IPs from which calls to the RADIUS server are allowed. Client 10.99.1.250 Secret testing123 DupInterval 0 /Client Handler #This is only tentative and hasn't been tested. This keeps people from circumventing the logs by making their outer identity anonymous. This script copies the inner identity to the outer identity; you can't authenticate without the correct inner identity. PostProcessingHook file:/etc/radiator/eap_acct_username.pl AuthBy GROUP AuthByPolicy ContinueWhileAccept # Make sure MAC address is not blacklisted.. AuthBy FILE NoEAP # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt /AuthBy # Make sure USERNAME is not blacklisted.. AuthBy FILE NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy AuthBy NTLM Domain AD EAPTypePEAP, TTLS, MSCHAP-V2 EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem EAPTLS_PrivateKeyPassword whatever AutoMPPEKeys /AuthBy /AuthBy /Handler #PostProcessingHook file:/etc/radiator/eap_acct_username.pl #This logs to /var/log/radius/logfile #Not really necessary, we have SQL logs. Log FILE Filename logfile /Log Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
On 2014-03-26 18:40, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the default VLan for the SSID, but when I send Tunnel-Private-Group-ID, the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN. Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be compatible and validated with freeradius and Microsoft IAS, so I think my case is a configuration issue. Regards. Radiator Version: 4.12.1 Wireless Controller: AVAYA WC8180 Wireless Access Points: AVAYA AP8120 Config file: *** Config File *** # radius.cfg Foreground LogStdout LogDir /var/log/radius LogFile %L/logfile.%Y.%m.%d DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 AuthPort 1812 AcctPort 1813 Client 10.0.30.254 Secret verysecret PacketTrace Identifier Avaya WC8180 /Client Handler TunnelledByPEAP=1 AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/cacert.pem # EAPTLS_CAPath EAPTLS_CertificateFile %D/certificates/radiator-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem EAPTLS_PrivateKeyPassword verysecret # EAPTLS_RandomFile %D/certificates/random EAPTLS_MaxFragmentSize 1024 # EAPTLS_DHFile %D/certificates/cert/dh #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem AutoMPPEKeys #EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 EAPAnonymous anonymous@localhost EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired /AuthBy /Handler *** EOF Config File *** Users file: mikem user without VLAN default VLAN - Quarantine - no IP address mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24 mikem2 user with VLAN ATI - IP address range 10.0.19.0/24 *** Users file *** # users # This is an example of how to set up simple user for # AuthBy FILE. # The example user mikem has a password of fred, and will # receive reply attributes suitable for most NASs. # You can do many more interesting things. See the Radiator reference # manual for more details # # You can test this user with the command # perl radpwtst mikem User-Password=fred Service-Type = Framed-User, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem1 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = Empleados, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = ATI, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN *** EOF users file *** We're doing that with Cisco WLCs without problems but in our case by sending the VLAN ID, not its name like for wired dot1x where Cisco IOS switches want the VLAN name: AddToReply Tunnel-Type=VLAN,\ Tunnel-Medium-Type=802, \ Tunnel-Private-Group-ID=123 -- --- Roberto Carlos Pantoja Valdizón Analista de Sistemas ATI/GDEI/LaGeo This message has been scanned for malware by Websense. www.websense.comhttp://www.websense.com/ ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Hi, On 03/26/2014 06:40 PM, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the default VLan for the SSID, but when I send Tunnel-Private-Group-ID, the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN. Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be compatible and validated with freeradius and Microsoft IAS, so I think my case is a configuration issue. Are you sure that it's Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN for your wireless controller? We have an HP ProCurve WLAN Controller and I have to send: Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = vlan-id It's the same for our LANCOM Access Points which are autonomous (no controller). I found a document Avaya WLAN 8100 Fundamentals regarding AVAYA WC8180 WLAN Controller. They say WC8180 is part of the WLAN 8100 solution. http://198.152.212.23/css/P8/documents/100161076 (PDF file) On page 87 they talk about authorization attributes: Tunnel-Private-Group-Id: Mobility VLAN Name Tunnel-Medium-Type: The value is 6 (IEEE 802) Tunnel-Type: The value is 13 (VLAN) So perhaps you have to send Tunnel-Type=13, Tunnel-Medium-Type=6, Tunnel-Private-Group-ID=Name of VLAN Apart from that: is it possible to proxy the request of the controller through radiator to the Ignition Server i.e. to configure the radiator server as a client on the Ignition Server? Then you'd see all attributes that the Ignition Server is sending in the radiator debug log. Regards Klara -- Karlsruher Institut für Technologie (KIT) Steinbuch Centre for Computing (SCC) Klara Mall Netze und Telekommunikation (NET) Hermann-von-Helmholtz-Platz 1 76344 Eggenstein-Leopoldshafen Telefon: +49 721 608-28630 Telefon: +49 721 608-48946 E-Mail: klara.m...@kit.edu Web: http://www.scc.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Thank you for your promptly answer, but I have the same effect if I put the VLAN name or numeric ID. Do you have any other idea that can help me to resolve this problem. Best regards. On 03/26/2014 11:37 AM, Hartmaier Alexander wrote: On 2014-03-26 18:40, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the default VLan for the SSID, but when I send Tunnel-Private-Group-ID, the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN. Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be compatible and validated with freeradius and Microsoft IAS, so I think my case is a configuration issue. Regards. Radiator Version: 4.12.1 Wireless Controller: AVAYA WC8180 Wireless Access Points: AVAYA AP8120 Config file: *** Config File *** # radius.cfg Foreground LogStdout LogDir /var/log/radius LogFile %L/logfile.%Y.%m.%d DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 AuthPort 1812 AcctPort 1813 Client 10.0.30.254 Secret verysecret PacketTrace Identifier Avaya WC8180 /Client Handler TunnelledByPEAP=1 AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/cacert.pem # EAPTLS_CAPath EAPTLS_CertificateFile %D/certificates/radiator-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem EAPTLS_PrivateKeyPassword verysecret # EAPTLS_RandomFile %D/certificates/random EAPTLS_MaxFragmentSize 1024 # EAPTLS_DHFile %D/certificates/cert/dh #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem AutoMPPEKeys #EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 EAPAnonymous anonymous@localhost EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired /AuthBy /Handler *** EOF Config File *** Users file: mikem user without VLAN default VLAN - Quarantine - no IP address mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24 mikem2 user with VLAN ATI - IP address range 10.0.19.0/24 *** Users file *** # users # This is an example of how to set up simple user for # AuthBy FILE. # The example user mikem has a password of fred, and will # receive reply attributes suitable for most NASs. # You can do many more interesting things. See the Radiator reference # manual for more details # # You can test this user with the command # perl radpwtst mikem User-Password=fred Service-Type = Framed-User, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem1 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = Empleados, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = ATI, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN *** EOF users file *** We're doing that with Cisco WLCs without problems but in our case by sending the VLAN ID, not its name like for wired dot1x where Cisco IOS switches want the VLAN name: AddToReply Tunnel-Type=VLAN,\ Tunnel-Medium-Type=802, \ Tunnel-Private-Group-ID=123 -- --- Roberto Carlos Pantoja Valdizón Analista de Sistemas ATI/GDEI/LaGeo This message has been scanned for malware by Websense. www.websense.com http://www.websense.com/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** Click here
Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Hello Roberto, The RFC2868 defines that tunnel attributes includes Tag field before value. Some NASes are needing that it is defined and some not. Try for example with mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = 0:vlan-id, Tunnel-Medium-Type = 0:802, Tunnel-Type = 0:VLAN or mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = 1:vlan-id, Tunnel-Medium-Type = 1:802, Tunnel-Type = 1:VLAN Best Regards, Sami On 03/26/2014 08:16 PM, Roberto Pantoja wrote: Thank you for your promptly answer, but I have the same effect if I put the VLAN name or numeric ID. Do you have any other idea that can help me to resolve this problem. Best regards. On 03/26/2014 11:37 AM, Hartmaier Alexander wrote: On 2014-03-26 18:40, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the default VLan for the SSID, but when I send Tunnel-Private-Group-ID, the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN. Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be compatible and validated with freeradius and Microsoft IAS, so I think my case is a configuration issue. Regards. Radiator Version: 4.12.1 Wireless Controller: AVAYA WC8180 Wireless Access Points: AVAYA AP8120 Config file: *** Config File *** # radius.cfg Foreground LogStdout LogDir /var/log/radius LogFile %L/logfile.%Y.%m.%d DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 AuthPort 1812 AcctPort 1813 Client 10.0.30.254 Secret verysecret PacketTrace Identifier Avaya WC8180 /Client Handler TunnelledByPEAP=1 AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/cacert.pem # EAPTLS_CAPath EAPTLS_CertificateFile %D/certificates/radiator-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem EAPTLS_PrivateKeyPassword verysecret # EAPTLS_RandomFile %D/certificates/random EAPTLS_MaxFragmentSize 1024 # EAPTLS_DHFile %D/certificates/cert/dh #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem AutoMPPEKeys #EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 EAPAnonymous anonymous@localhost EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired /AuthBy /Handler *** EOF Config File *** Users file: mikem user without VLAN default VLAN - Quarantine - no IP address mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24 mikem2 user with VLAN ATI - IP address range 10.0.19.0/24 *** Users file *** # users # This is an example of how to set up simple user for # AuthBy FILE. # The example user mikem has a password of fred, and will # receive reply attributes suitable for most NASs. # You can do many more interesting things. See the Radiator reference # manual for more details # # You can test this user with the command # perl radpwtst mikem User-Password=fred Service-Type = Framed-User, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem1 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = Empleados, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = ATI, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN *** EOF users file *** We're doing that with Cisco WLCs without problems but in our case by sending the VLAN ID, not its name like for wired dot1x where Cisco IOS switches want the VLAN name: AddToReply Tunnel-Type=VLAN,\ Tunnel-Medium-Type=802, \ Tunnel-Private-Group-ID=123 -- --- Roberto Carlos Pantoja Valdizón Analista de Sistemas ATI/GDEI/LaGeo This message has been scanned for malware by Websense. www.websense.com http://www.websense.com/
[RADIATOR] Fwd: Re: Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Thank you, I will try using the radius proxy to know what are exactly the attributes Ignition Server sends to WLAN controller. On 03/26/2014 12:02 PM, Klara Mall wrote: Hi, On 03/26/2014 06:40 PM, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the default VLan for the SSID, but when I send Tunnel-Private-Group-ID, the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN. Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be compatible and validated with freeradius and Microsoft IAS, so I think my case is a configuration issue. Are you sure that it's Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN for your wireless controller? We have an HP ProCurve WLAN Controller and I have to send: Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = vlan-id It's the same for our LANCOM Access Points which are autonomous (no controller). I found a document Avaya WLAN 8100 Fundamentals regarding AVAYA WC8180 WLAN Controller. They say WC8180 is part of the WLAN 8100 solution. http://198.152.212.23/css/P8/documents/100161076 (PDF file) On page 87 they talk about authorization attributes: Tunnel-Private-Group-Id: Mobility VLAN Name Tunnel-Medium-Type: The value is 6 (IEEE 802) Tunnel-Type: The value is 13 (VLAN) So perhaps you have to send Tunnel-Type=13, Tunnel-Medium-Type=6, Tunnel-Private-Group-ID=Name of VLAN Apart from that: is it possible to proxy the request of the controller through radiator to the Ignition Server i.e. to configure the radiator server as a client on the Ignition Server? Then you'd see all attributes that the Ignition Server is sending in the radiator debug log. Regards Klara -- --- Roberto Carlos Pantoja Valdizón Analista de Sistemas ATI/GDEI/LaGeo This message has been scanned for malware by Websense. www.websense.com ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Thank you, I will try tagging values for the reply... On 03/26/2014 12:47 PM, Sami Keski-Kasari wrote: Hello Roberto, The RFC2868 defines that tunnel attributes includes Tag field before value. Some NASes are needing that it is defined and some not. Try for example with mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = 0:vlan-id, Tunnel-Medium-Type = 0:802, Tunnel-Type = 0:VLAN or mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = 1:vlan-id, Tunnel-Medium-Type = 1:802, Tunnel-Type = 1:VLAN Best Regards, Sami On 03/26/2014 08:16 PM, Roberto Pantoja wrote: Thank you for your promptly answer, but I have the same effect if I put the VLAN name or numeric ID. Do you have any other idea that can help me to resolve this problem. Best regards. On 03/26/2014 11:37 AM, Hartmaier Alexander wrote: On 2014-03-26 18:40, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the default VLan for the SSID, but when I send Tunnel-Private-Group-ID, the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=Name of VLAN. Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be compatible and validated with freeradius and Microsoft IAS, so I think my case is a configuration issue. Regards. Radiator Version: 4.12.1 Wireless Controller: AVAYA WC8180 Wireless Access Points: AVAYA AP8120 Config file: *** Config File *** # radius.cfg Foreground LogStdout LogDir /var/log/radius LogFile %L/logfile.%Y.%m.%d DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 AuthPort 1812 AcctPort 1813 Client 10.0.30.254 Secret verysecret PacketTrace Identifier Avaya WC8180 /Client Handler TunnelledByPEAP=1 AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/cacert.pem # EAPTLS_CAPath EAPTLS_CertificateFile %D/certificates/radiator-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem EAPTLS_PrivateKeyPassword verysecret # EAPTLS_RandomFile %D/certificates/random EAPTLS_MaxFragmentSize 1024 # EAPTLS_DHFile %D/certificates/cert/dh #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem AutoMPPEKeys #EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 EAPAnonymous anonymous@localhost EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired /AuthBy /Handler *** EOF Config File *** Users file: mikem user without VLAN default VLAN - Quarantine - no IP address mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24 mikem2 user with VLAN ATI - IP address range 10.0.19.0/24 *** Users file *** # users # This is an example of how to set up simple user for # AuthBy FILE. # The example user mikem has a password of fred, and will # receive reply attributes suitable for most NASs. # You can do many more interesting things. See the Radiator reference # manual for more details # # You can test this user with the command # perl radpwtst mikem User-Password=fred Service-Type = Framed-User, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem1 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = Empleados, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = ATI, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN *** EOF users file *** We're doing that with Cisco WLCs without problems but in our case by sending the VLAN ID, not its name like for wired dot1x where Cisco IOS switches want the VLAN name: AddToReply Tunnel-Type=VLAN,\ Tunnel-Medium-Type=802, \ Tunnel-Private-Group-ID=123 -- --- Roberto Carlos Pantoja Valdizón Analista de Sistemas ATI/GDEI/LaGeo
Re: [RADIATOR] CRLs not working with EAP TLS
On 03/24/2014 11:59 PM, Markus Moeller wrote: I have setup EAP-TLS for wired 802.1x using CRLCheck, but I noticed that despite having the certificate serial number in the CRL Radiator still accepts the presented certificate ( I also can see Radiator re-read the CRL file) . Hello Markus, I did some testing, compiled the Net-SSLeay 1.58 and OpenSSL 1.0.1e. I see the same as you: the file change is noticed by Radiator and the file is loaded. The changes, however, do not have any effect. If I just touch the file without changing it, the libs give the 'cert already in hash table' error. I was trying to verify that the serial numbers match using the EAPTLS_CertificateVerifyHook function but can’t extract the certificate serial number. I tried with my $ai = Net::SSLeay::X509_get_serialNumber($x509); which I read does not give the serial number but an ASN.1 encoded string. Does anybody have a tool which converts it into a serial number which I can compare to the CRL serial number ? Are thinking of this? my $ai = Net::SSLeay::X509_get_serialNumber($x509); \ my $rv = Net::SSLeay::ASN1_INTEGER_get($ai); \ print ai: $ai rv: $rv\n; \ Does anybody has CRL working for EAP TLS ? It does look like a restart is needed when the CRL is refreshed. The verify against CRL seems to work, but refreshing the CRL without restart looks problematic. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
On 03/26/2014 07:33 PM, Michael Rodrigues wrote: 1. How do I allow only directory users to authenticate, while preventing machine accounts from being authenticated? Use a Handler to catch these: Handler User-Name=/^host\// # AuthBy INTERNAL with reject here /Handler should do the trick. I would also consider using a separate Handler for inner and outer requests. See goodies/eap_peap.cfg for an example. 2. Will the eap_acct_username.pl prevent users from showing up as 'anonymous' in my accounting requests for all allowed types of auth? (PEAP, TTLS, MSCHAP-V2) This hook seems to return User-Name with Access-Accept to tell the NAS to use this username for the subsequent Accounting-Requests. I'd consider using a Hook, maybe PostAuthHook, in the inner Handler to write the real username in the outer requests EAP context. When the final Access-Accept is returned to the client, a PostAuthHook in the outer Handler can set the User-Name. This could be done after the authentication works otherwise. 3. Will disabling machine authentication have any affect on SSO so that a user can login to a domain computer and automatically authenticate to the wifi (assuming the proper GPOs are in place). The recent Windows versions seem to have a number of possibilities to choose which account, user or computer, does the wifi authentiation. However, I have not looked more closely how these settings work with group policies. It would be interesting to hear how it works, so please let us know if you decide to test it. Here's my configuration: Remove DupInterval 0 if you have it with real RADIUS clients. It should only be used for local loopback testing and it's not usually necessary there either. Thanks, Heikki ## ## # Radiator Configuration # # ## ## Updated 03/26/14 mbr ## Note this file is derived from pre-testing version provided by mrodrigues #This handler catches all Accounting-Request packets. #We only log Start and Stop accounting packets as Alive #packets are basically useless for our purposes. If you #would like to grab these packets, delete the HandleAcctStatusTypes #directive below, or edit as obviously necessary. #Handler Request-Type=Accounting-Request #AuthBy SQL #DBSourcedbi:mysql:radius:127.0.0.1:3306 #DBUsername radius #DBAuth xxx #HandleAcctStatusTypes Start,Stop # This statement inserts the accounting information into the SQL databasee. #AcctSQLStatement insert into ggse_public values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL); # This will log messages from within the SQL insert statement #Log FILE #Filename debug.config #/Log #/AuthBy #/Handler #below was added on 2/4/13 to catch ALL iterations of logins that are BlackListed. RewriteUsername tr/A-Z/a-z/ #These are the IPs from which calls to the RADIUS server are allowed. Client 10.99.1.250 Secret testing123 DupInterval 0 /Client Handler #This is only tentative and hasn't been tested. This keeps people from circumventing the logs by making their outer identity anonymous. This script copies the inner identity to the outer identity; you can't authenticate without the correct inner identity. PostProcessingHook file:/etc/radiator/eap_acct_username.pl AuthBy GROUP AuthByPolicy ContinueWhileAccept # Make sure MAC address is not blacklisted.. AuthBy FILE NoEAP # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt /AuthBy # Make sure USERNAME is not blacklisted.. AuthBy FILE NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy AuthBy NTLM Domain AD EAPTypePEAP, TTLS, MSCHAP-V2 EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem EAPTLS_PrivateKeyPassword whatever AutoMPPEKeys /AuthBy /AuthBy /Handler #PostProcessingHook file:/etc/radiator/eap_acct_username.pl #This logs to /var/log/radius/logfile #Not really necessary, we have SQL logs. Log FILE Filename logfile /Log Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu
Re: [RADIATOR] CRLs not working with EAP TLS
-Original Message- From: Heikki Vatiainen Sent: Wednesday, March 26, 2014 9:09 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRLs not working with EAP TLS On 03/24/2014 11:59 PM, Markus Moeller wrote: I have setup EAP-TLS for wired 802.1x using CRLCheck, but I noticed that despite having the certificate serial number in the CRL Radiator still accepts the presented certificate ( I also can see Radiator re-read the CRL file) . Hello Markus, Hi Heikki I did some testing, compiled the Net-SSLeay 1.58 and OpenSSL 1.0.1e. I see the same as you: the file change is noticed by Radiator and the file is loaded. The changes, however, do not have any effect. If I just touch the file without changing it, the libs give the 'cert already in hash table' error. Thank you for testing. That is not good news. I was intending to use wired 802.1x and a restart means switches may need to failover to the secondary Radius server especially if you want to do frequent CRL check and may disrupt clients when the regular EAP reauth happens. Do you or other on the list have experience with optimised EAP reauth switch settings ? I was trying to verify that the serial numbers match using the EAPTLS_CertificateVerifyHook function but can’t extract the certificate serial number. I tried with my $ai = Net::SSLeay::X509_get_serialNumber($x509); which I read does not give the serial number but an ASN.1 encoded string. Does anybody have a tool which converts it into a serial number which I can compare to the CRL serial number ? Are thinking of this? my $ai = Net::SSLeay::X509_get_serialNumber($x509); \ my $rv = Net::SSLeay::ASN1_INTEGER_get($ai); \ print ai: $ai rv: $rv\n; \ yes something like that. Is it Net::SSLeay or Net::SSLeay ? I think I need to use P_ASN1_INTEGER-get_hex($ai). Did you try this too ? In my test I got for $ai 0 which doesn't seem to be correct. Does anybody has CRL working for EAP TLS ? It does look like a restart is needed when the CRL is refreshed. The verify against CRL seems to work, but refreshing the CRL without restart looks problematic. This is then an underlying openssl issue isn't it ? Do you know if OCSP will be available instead ? Thanks, Heikki Thank you Markus -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor radiator authentication response time
Heikki, We use radlogin radius test tool. It sends auth request using username and password and measures the response time. http://www.iea-software.com/products/radlogin4.cfm But I want to monitor radius response time on Radius server that use NAS Port ID to authenticate users. Rohan On Fri, Mar 21, 2014 at 2:33 PM, Heikki Vatiainen h...@open.com.au wrote: On 03/19/2014 09:21 PM, rohan.henry @cwjamaica.com wrote: How can I monitor Radiator's response time when using NAS Port ID instead of username for authentication? Hello Rohan, can you describe in more detail how the monitoring is done now? Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator