[RADIATOR] SIP2 + Fortigate setup

Heikki Vatiainen hvn at open.com.au
Sat Feb 15 02:32:58 CST 2014 

On 02/15/2014 02:42 AM, Chad Roseburg wrote:
> I have an evaluation version of Radiator 4.12.1. I need to set up a web
> captive portal on a Fortigate 60D that uses SIP2 authentication.
> 
> The SIP2 part works ...tests successful:

Hello Chad,

radpwtst uses PAP with the options you have specified and sends
User-Password which can be then used with AuthBy SIP2.

However, it looks like the Fortigate is trying to do MS-CHAP instead of
PAP. With MS-CHAP there is not password, only a challenge and response,
and for this reason it does not work.

Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is
tried. There should be a MS-CHAP-Response too with the attributes, but
maybe you have left that out. These two attributes are used by MS-CHAP.

See if there's 'Authentication Scheme', I think this is the option in
Fortigate, or something similar that has been set to MS-CHAP or defaults
to MS-CHAP. There should be an option to switch it to PAP.

Please let us know if the above helps.

Thanks,
Heikki


> Ex.
> perl radpwtst -noacct -user 29030pretend -password secrets
> sending Access-Request...
> OK
> 
> On RADIUS server I see:
> -------------------------------------
> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214  
>  160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|'
> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24              00020140214
>    160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|'
> Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend
> [29030pretend]
> Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT
> 
> But the second part is that I need to connect the fortigate to the
> RADIUS server. I add the fortigate as a client in the config using IP
> and a 'Secret'
> 
> Here's some edited output when I test from the fortigate using the same
> creds:
> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214  
>  162344AONCRL|AA29030pretend|ACterminal password|AD|'
> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24              00020140214
>    162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|'
> Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password:
> 29030002429839 [29030002429839]
> Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password
> 
> It looks like it's not sending the password. Also, at the top of the
> transmission there's mention of a MS-CHAP-Challenge:
> Attributes:
>         NAS-Identifier = "Fortinet_RTR"
>         MS-CHAP-Challenge =
> b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M
>         Acct-Session-Id = "00000021"
>         Connect-Info = "test"
>         Fortinet-Vdom-Name = "root"
> 
> This is the Client config:
> <Client 192.x.x.99>
>         Secret  secretspass
>         DupInterval 0
> </Client>
> 
> Thanks for any advice!
> 
> -- 
> Chad
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list