Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Removing the synchronous did in fact fix the problem for some reason! Thanks! Best regards, Chris Chance Network Engineer - CaribServe Phone: +1 721 542-4233 Email: ccha...@newtechgrp.com -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Thursday, July 24, 2014 6:49 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - The other difference between what I sent and what you are doing is your use of Synchronous in the AuthBy RADIUS clause. In my suggestion I have removed it, and we think it is this that is causing the problem for some reason. # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler You might also want to upgrade to the latest Radiator 4.13. FYI - we had another site that was having problems with NTLM and it was resolved by my suggestion to have Radiator proxy to NPS. hope that helps regards Hugh On 25 Jul 2014, at 04:23, Christopher Chance ccha...@newtechgrp.com wrote: Got to work and was looking at it and basically you're doing the same thing I am, thought the MYSITE radius isn't needed as theirs nothing wrong with the MYSITE NTLM it works fine.. As for the OTHERSITE ... that's exactly how it is now, except instead of Microsoft NPS the other side is a radiator that authenticates via NTLM on the secondary domain... The problem is when that second radiator responds this radiator with the Access-Accept, this radiator as you can see in the logs does a bunch of eap challenges but never builds the final access-accept from what I can see for the client wifi device... and the client device hangs. The logs I included the good one was Local NTLM auth that authenticates and sends the client an access-accept The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request to the second radiator and getting the access accept from that radiator and then it does some eap challenges and just hangs. Don't really want to switch from linux-radiator to NPS as the ESX we're running this on is tight on resources currently for another windows vm, especially since its only basically standing in as a Radius-MSCHAPv2-NTLM proxy. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Wednesday, July 23, 2014 9:43 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Client 192.168.125.20 Secret xxx Identifier Ruckus /Client Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host . Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler Handler TunnelledByPEAP=1 AuthBy FILE EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 /AuthBy /Handler
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - Thanks for letting us know. regards Hugh On 26 Jul 2014, at 03:50, Christopher Chance ccha...@newtechgrp.com wrote: Removing the synchronous did in fact fix the problem for some reason! Thanks! Best regards, Chris Chance Network Engineer - CaribServe Phone: +1 721 542-4233 Email: ccha...@newtechgrp.com -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Thursday, July 24, 2014 6:49 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - The other difference between what I sent and what you are doing is your use of Synchronous in the AuthBy RADIUS clause. In my suggestion I have removed it, and we think it is this that is causing the problem for some reason. # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler You might also want to upgrade to the latest Radiator 4.13. FYI - we had another site that was having problems with NTLM and it was resolved by my suggestion to have Radiator proxy to NPS. hope that helps regards Hugh On 25 Jul 2014, at 04:23, Christopher Chance ccha...@newtechgrp.com wrote: Got to work and was looking at it and basically you're doing the same thing I am, thought the MYSITE radius isn't needed as theirs nothing wrong with the MYSITE NTLM it works fine.. As for the OTHERSITE ... that's exactly how it is now, except instead of Microsoft NPS the other side is a radiator that authenticates via NTLM on the secondary domain... The problem is when that second radiator responds this radiator with the Access-Accept, this radiator as you can see in the logs does a bunch of eap challenges but never builds the final access-accept from what I can see for the client wifi device... and the client device hangs. The logs I included the good one was Local NTLM auth that authenticates and sends the client an access-accept The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request to the second radiator and getting the access accept from that radiator and then it does some eap challenges and just hangs. Don't really want to switch from linux-radiator to NPS as the ESX we're running this on is tight on resources currently for another windows vm, especially since its only basically standing in as a Radius-MSCHAPv2-NTLM proxy. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Wednesday, July 23, 2014 9:43 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Client 192.168.125.20 Secret xxx Identifier Ruckus /Client Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host . Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler