[RADIATOR] SIP2 + Fortigate setup

Chad Roseburg croseburg at ncrl.org
Thu Feb 20 11:45:44 CST 2014 

You were correct, I did not set up the client stanzas correctly. I got rid
of all client stanzas but the DEFAULT and used the secret with the
fortigate ....SUCCESS! Thank you!

Here is what I had:

<Client DEFAULT>
        Secret  different_secret
        DupInterval 0
</Client>

<Client 192.168.20.99>
       Secret  radius_secret
       DupInterval 0
</Client>

I commented out the second one. Why didn't the second stanza work?

Thanks!

Chad



On Wed, Feb 19, 2014 at 5:49 PM, Hugh Irvine <hugh at open.com.au> wrote:

>
> Hi again -
>
> Further to this, I am guessing the shared secret between the Fortigate and
> the Radiator Client clause is incorrect.
>
> regards
>
> Hugh
>
>
> On 20 Feb 2014, at 12:42, Hugh Irvine <hugh at open.com.au> wrote:
>
> >
> > Hi Chad -
> >
> > Can you please send me a copy of your configuration file together with a
> trace 4 debug showing what is happening.
> >
> > Also please include your user definition.
> >
> > thanks and regards
> >
> > Hugh
> >
> >
> >
> > On 20 Feb 2014, at 11:26, Chad Roseburg <croseburg at ncrl.org> wrote:
> >
> >> Thanks Hugh, but it is rejecting the password ...sample output:
> >>
> >> Wed Feb 19 14:18:04 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad passw
> >> Wed Feb 19 14:18:04 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad pa
> >>
> >> We're using SIP2 to authenticate clients. It does work with the
> radpwtst, but not fortigate.
> >>
> >> Suggestions?
> >>
> >> Chad
> >>
> >>
> >> On Wed, Feb 19, 2014 at 3:51 PM, Hugh Irvine <hugh at open.com.au> wrote:
> >>
> >> Hello Chad -
> >>
> >> You don’t need to do anything special - Radiator will process the
> password automatically.
> >>
> >> If you are using a flat file for your user records you should add an
> entry like this:
> >>
> >>
> >>
> >> # flat file user definitions
> >>
> >> 29030pretend  User-Password = gulash
> >>
> >>
> >>
> >> hope that helps
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 20 Feb 2014, at 09:42, Chad Roseburg <croseburg at ncrl.org> wrote:
> >>
> >>> Thanks Heikki ~ there is an option to change the authentication
> scheme. I changed it to PAP as you suggest.
> >>>
> >>> Now it appears as though the fortigate is sending the password
> encrypted ...Ex:
> >>>
> >>> Test credentials:
> >>> user: 29030pretend
> >>> pass: gulash
> >>>
> >>> Server output excerpt:
> >>> DEBUG: SIP2 send '2300020140219    141804AO|AA29030pretend|ACterminal
> password|AD�$.%�6Է!H�'
> >>>
> >>> In looking at the docs, I see several encryption/decrypt options
> ...what do I include in my config to allow Radiator to decrypt
> >>> this password?
> >>>
> >>> Thank you!
> >>>
> >>> Chad
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen <hvn at open.com.au>
> wrote:
> >>> On 02/15/2014 02:42 AM, Chad Roseburg wrote:
> >>>> I have an evaluation version of Radiator 4.12.1. I need to set up a
> web
> >>>> captive portal on a Fortigate 60D that uses SIP2 authentication.
> >>>>
> >>>> The SIP2 part works ...tests successful:
> >>>
> >>> Hello Chad,
> >>>
> >>> radpwtst uses PAP with the options you have specified and sends
> >>> User-Password which can be then used with AuthBy SIP2.
> >>>
> >>> However, it looks like the Fortigate is trying to do MS-CHAP instead of
> >>> PAP. With MS-CHAP there is not password, only a challenge and response,
> >>> and for this reason it does not work.
> >>>
> >>> Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP
> is
> >>> tried. There should be a MS-CHAP-Response too with the attributes, but
> >>> maybe you have left that out. These two attributes are used by MS-CHAP.
> >>>
> >>> See if there's 'Authentication Scheme', I think this is the option in
> >>> Fortigate, or something similar that has been set to MS-CHAP or
> defaults
> >>> to MS-CHAP. There should be an option to switch it to PAP.
> >>>
> >>> Please let us know if the above helps.
> >>>
> >>> Thanks,
> >>> Heikki
> >>>
> >>>
> >>>> Ex.
> >>>> perl radpwtst -noacct -user 29030pretend -password secrets
> >>>> sending Access-Request...
> >>>> OK
> >>>>
> >>>> On RADIUS server I see:
> >>>> -------------------------------------
> >>>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214
> >>>> 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|'
> >>>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24
>  00020140214
> >>>>   160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|'
> >>>> Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: :
> 29030pretend
> >>>> [29030pretend]
> >>>> Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT
> >>>>
> >>>> But the second part is that I need to connect the fortigate to the
> >>>> RADIUS server. I add the fortigate as a client in the config using IP
> >>>> and a 'Secret'
> >>>>
> >>>> Here's some edited output when I test from the fortigate using the
> same
> >>>> creds:
> >>>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214
> >>>> 162344AONCRL|AA29030pretend|ACterminal password|AD|'
> >>>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24
>  00020140214
> >>>>   162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|'
> >>>> Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad
> password:
> >>>> 29030002429839 [29030002429839]
> >>>> Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad
> password
> >>>>
> >>>> It looks like it's not sending the password. Also, at the top of the
> >>>> transmission there's mention of a MS-CHAP-Challenge:
> >>>> Attributes:
> >>>>        NAS-Identifier = "Fortinet_RTR"
> >>>>        MS-CHAP-Challenge =
> >>>> b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M
> >>>>        Acct-Session-Id = "00000021"
> >>>>        Connect-Info = "test"
> >>>>        Fortinet-Vdom-Name = "root"
> >>>>
> >>>> This is the Client config:
> >>>> <Client 192.x.x.99>
> >>>>        Secret  secretspass
> >>>>        DupInterval 0
> >>>> </Client>
> >>>>
> >>>> Thanks for any advice!
> >>>>
> >>>> --
> >>>> Chad
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> radiator mailing list
> >>>> radiator at open.com.au
> >>>> http://www.open.com.au/mailman/listinfo/radiator
> >>>>
> >>>
> >>>
> >>> --
> >>> Heikki Vatiainen <hvn at open.com.au>
> >>>
> >>> Radiator: the most portable, flexible and configurable RADIUS server
> >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> >>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> >>> NetWare etc.
> >>> _______________________________________________
> >>> radiator mailing list
> >>> radiator at open.com.au
> >>> http://www.open.com.au/mailman/listinfo/radiator
> >>>
> >>>
> >>>
> >>> --
> >>> Chad Roseburg
> >>> Automation Dept.
> >>> North Central Regional Library
> >>> _______________________________________________
> >>> radiator mailing list
> >>> radiator at open.com.au
> >>> http://www.open.com.au/mailman/listinfo/radiator
> >>
> >>
> >> --
> >>
> >> Hugh Irvine
> >> hugh at open.com.au
> >>
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >> DIAMETER etc.
> >> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >>
> >>
> >>
> >>
> >> --
> >> Chad Roseburg
> >> Automation Dept.
> >> North Central Regional Library
> >
> >
> > --
> >
> > Hugh Irvine
> > hugh at open.com.au
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc.
> > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> >
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>


-- 
Chad Roseburg
Automation Dept.
North Central Regional Library
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140220/04b93a1a/attachment.html

More information about the radiator mailing list