[RADIATOR] PEAP and Kerberos?

Hirayama, Pat phirayam at fredhutch.org
Sat Jun 17 22:05:20 UTC 2023 

Greetings,

We had our FreeIPA configuration implode a while back, so the decision was made to switch our Linux servers to using realm and sssd for authentication.  No real issues until they switched the server that Radiator was running on, which broke wireless authentication:


Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for adoe2: EAP MSCHAP-V2 Authentication failure

Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for adoe2: PEAP Authentication Failure

Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'adoe2': The specified account does not exist.

Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:15 2023: wifi: FAIL: adoe2: adoe2: 140.107.6.10: cf-wlc: Access-Request: a4-83-e7-58-60-75: a0-93-51-a9-fc-c0:Marconi

Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:15 2023: wifi: FAIL: adoe2: adoe2: : cf-wlc: Access-Request: a4-83-e7-58-60-75:

Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for jdoe: EAP MSCHAP-V2 Authentication failure

Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for jdoe: PEAP Authentication Failure

Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'jdoe': The specified account does not exist.

Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:16 2023: wifi: FAIL: jdoe: jdoe: 140.107.6.10: cf-wlc: Access-Request: 3c-22-fb-e2-d1-70: 68-3b-78-d6-5c-20:Marconi

Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:16 2023: wifi: FAIL: jdoe: jdoe: : cf-wlc: Access-Request: 3c-22-fb-e2-d1-70:

Jun 17 14:01:17 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'jsmith': The specified account does not exist.

So, I logged in to see what changes were made and concluded that switching to realm  / sssd meant that since our wifi was using PEAP and AuthBy NTLM .... that wouldn't work any longer.  Anyway, I reverted to the previous configuration (snapshots are great).  So, the immediate problem is solved.

The real question -- can I redo my PEAP configuration to work with Kerberos?  Looking at the samples in goodies, I see krb5.conf, but it contains:

# Works with RADIUS-PAP, TTLS-PAP.

I see the heimdal config, but am not sure how that relates to Kerberos.  Can I refashion that to work with my AD?

Handler section from my radiator config:


#####################################################################

# Handlers

#####################################################################

#

#### Wireless Clients using PEAP #####

# The most popular method, suported by default by Windows.  Does not require a client-side cert and is thus considered less secure

# than EAP-TLS

<Handler TunnelledByPEAP=1>

        RejectHasReason


        AuthLog wifi-authlog


        <AuthBy NTLM>

                include /etc/radiator/eap.txt

                NtlmAuthProg  /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1

                Domain XXXXX

                DefaultDomain XXXXX

                EAPType MSCHAP-V2

        </AuthBy>

</Handler>


#### Outer Handler #####

# When clients check the 'Validate Server Certificate' (or equivalent), then this stanza plays a key role

<Handler>

        AuthByPolicy    ContinueUntilAccept


        AuthLog wifi-authlog

        RejectHasReason

        <AuthBy FILE>

                Filename %D/users.anonymous

                EAPType PEAP,TTLS

                EAPTLS_PEAPVersion 0

                include /etc/radiator/eap.txt

                EAPTLS_CertificateType PEM

#                EAPTLS_PrivateKeyPassword everwhat

                EAPTLS_MaxFragmentSize 1024

                EAPTLS_SecurityLevel 1

                EAPTLS_Ciphers DEFAULT at SECLEVEL=1

                EAPTLS_Protocols TLSv1, TLSv1.1, TLSv1.2

                EAPAnonymous %0

                AutoMPPEKeys

                SSLeayTrace 4

        </AuthBy>

</Handler>


Any help or hints would be greatly appreciated.

Thank you!

                              -p


Pat Hirayama
Pronouns: he/him/his
Systems Engineer
IT | Systems Engineering
Fred Hutchinson Cancer Center
O 206.667.4856
phirayam at fredhutch.org<mailto:phirayam at fredhutch.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230617/3151775e/attachment-0001.html>

More information about the radiator mailing list