[RADIATOR] SIP2 + Fortigate setup

Hugh Irvine hugh at open.com.au
Wed Feb 19 17:51:38 CST 2014


Hello Chad -

You don’t need to do anything special - Radiator will process the password automatically.

If you are using a flat file for your user records you should add an entry like this:



# flat file user definitions

29030pretend  User-Password = gulash



hope that helps

regards

Hugh


On 20 Feb 2014, at 09:42, Chad Roseburg <croseburg at ncrl.org> wrote:

> Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest. 
> 
> Now it appears as though the fortigate is sending the password encrypted ...Ex:
> 
> Test credentials:
> user: 29030pretend
> pass: gulash
> 
> Server output excerpt:
> DEBUG: SIP2 send '2300020140219    141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�'
> 
> In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt
> this password?
> 
> Thank you!
> 
> Chad
> 
> 
> 
> 
> 
> On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 02/15/2014 02:42 AM, Chad Roseburg wrote:
> > I have an evaluation version of Radiator 4.12.1. I need to set up a web
> > captive portal on a Fortigate 60D that uses SIP2 authentication.
> >
> > The SIP2 part works ...tests successful:
> 
> Hello Chad,
> 
> radpwtst uses PAP with the options you have specified and sends
> User-Password which can be then used with AuthBy SIP2.
> 
> However, it looks like the Fortigate is trying to do MS-CHAP instead of
> PAP. With MS-CHAP there is not password, only a challenge and response,
> and for this reason it does not work.
> 
> Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is
> tried. There should be a MS-CHAP-Response too with the attributes, but
> maybe you have left that out. These two attributes are used by MS-CHAP.
> 
> See if there's 'Authentication Scheme', I think this is the option in
> Fortigate, or something similar that has been set to MS-CHAP or defaults
> to MS-CHAP. There should be an option to switch it to PAP.
> 
> Please let us know if the above helps.
> 
> Thanks,
> Heikki
> 
> 
> > Ex.
> > perl radpwtst -noacct -user 29030pretend -password secrets
> > sending Access-Request...
> > OK
> >
> > On RADIUS server I see:
> > -------------------------------------
> > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214
> >  160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|'
> > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24              00020140214
> >    160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|'
> > Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend
> > [29030pretend]
> > Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT
> >
> > But the second part is that I need to connect the fortigate to the
> > RADIUS server. I add the fortigate as a client in the config using IP
> > and a 'Secret'
> >
> > Here's some edited output when I test from the fortigate using the same
> > creds:
> > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214
> >  162344AONCRL|AA29030pretend|ACterminal password|AD|'
> > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24              00020140214
> >    162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|'
> > Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password:
> > 29030002429839 [29030002429839]
> > Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password
> >
> > It looks like it's not sending the password. Also, at the top of the
> > transmission there's mention of a MS-CHAP-Challenge:
> > Attributes:
> >         NAS-Identifier = "Fortinet_RTR"
> >         MS-CHAP-Challenge =
> > b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M
> >         Acct-Session-Id = "00000021"
> >         Connect-Info = "test"
> >         Fortinet-Vdom-Name = "root"
> >
> > This is the Client config:
> > <Client 192.x.x.99>
> >         Secret  secretspass
> >         DupInterval 0
> > </Client>
> >
> > Thanks for any advice!
> >
> > --
> > Chad
> >
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> >
> 
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> -- 
> Chad Roseburg
> Automation Dept.
> North Central Regional Library
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list