[RADIATOR] SIP2 + Fortigate setup

Sami Keski-Kasari samikk at open.com.au
Thu Feb 20 06:45:46 CST 2014

Hello Chad,

In standard Radius protocol shared secret is used to encrypt
User-Password field. Radiator will automatically decrypt User-Password
with shared secret.

I think that you should first check that you have same shared secret
both in your client clause and in fortigate.

If there is some password encryption options for password in fortigate,
please try to disable them until you get authentication working.

Best Regards,

On 02/20/2014 12:42 AM, Chad Roseburg wrote:
> Thanks Heikki ~ there is an option to change the authentication scheme. I
> changed it to PAP as you suggest.
> Now it appears as though the fortigate is sending the password encrypted
> ...Ex:
> Test credentials:
> user: 29030pretend
> pass: gulash
> Server output excerpt:
> DEBUG: SIP2 send '2300020140219    141804AO|AA29030pretend|ACterminal
> password|AD�$.%�6Է!H�'
> In looking at the docs, I see several encryption/decrypt options ...what do
> I include in my config to allow Radiator to decrypt
> this password?
> Thank you!
> Chad
> On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen <hvn at open.com.au> wrote:
>> On 02/15/2014 02:42 AM, Chad Roseburg wrote:
>>> I have an evaluation version of Radiator 4.12.1. I need to set up a web
>>> captive portal on a Fortigate 60D that uses SIP2 authentication.
>>> The SIP2 part works ...tests successful:
>> Hello Chad,
>> radpwtst uses PAP with the options you have specified and sends
>> User-Password which can be then used with AuthBy SIP2.
>> However, it looks like the Fortigate is trying to do MS-CHAP instead of
>> PAP. With MS-CHAP there is not password, only a challenge and response,
>> and for this reason it does not work.
>> Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is
>> tried. There should be a MS-CHAP-Response too with the attributes, but
>> maybe you have left that out. These two attributes are used by MS-CHAP.
>> See if there's 'Authentication Scheme', I think this is the option in
>> Fortigate, or something similar that has been set to MS-CHAP or defaults
>> to MS-CHAP. There should be an option to switch it to PAP.
>> Please let us know if the above helps.
>> Thanks,
>> Heikki
>>> Ex.
>>> perl radpwtst -noacct -user 29030pretend -password secrets
>>> sending Access-Request...
>>> OK
>>> On RADIUS server I see:
>>> -------------------------------------
>>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214
>>>  160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|'
>>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24              00020140214
>>>    160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|'
>>> Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend
>>> [29030pretend]
>>> Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT
>>> But the second part is that I need to connect the fortigate to the
>>> RADIUS server. I add the fortigate as a client in the config using IP
>>> and a 'Secret'
>>> Here's some edited output when I test from the fortigate using the same
>>> creds:
>>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214
>>>  162344AONCRL|AA29030pretend|ACterminal password|AD|'
>>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24              00020140214
>>>    162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|'
>>> Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password:
>>> 29030002429839 [29030002429839]
>>> Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password
>>> It looks like it's not sending the password. Also, at the top of the
>>> transmission there's mention of a MS-CHAP-Challenge:
>>> Attributes:
>>>         NAS-Identifier = "Fortinet_RTR"
>>>         MS-CHAP-Challenge =
>>> b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M
>>>         Acct-Session-Id = "00000021"
>>>         Connect-Info = "test"
>>>         Fortinet-Vdom-Name = "root"
>>> This is the Client config:
>>> <Client 192.x.x.99>
>>>         Secret  secretspass
>>>         DupInterval 0
>>> </Client>
>>> Thanks for any advice!
>>> --
>>> Chad
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list