[RADIATOR] SIP2 + Fortigate setup

Chad Roseburg croseburg at ncrl.org
Thu Feb 20 11:48:29 CST 2014 

That is correct. I had an additional stanza for a router ...when I
commented out all but the DEFAULT and used the DEFAULT secret, it worked.

Thanks!

Chad


On Thu, Feb 20, 2014 at 4:45 AM, Sami Keski-Kasari <samikk at open.com.au>wrote:

> Hello Chad,
>
> In standard Radius protocol shared secret is used to encrypt
> User-Password field. Radiator will automatically decrypt User-Password
> with shared secret.
>
> I think that you should first check that you have same shared secret
> both in your client clause and in fortigate.
>
> If there is some password encryption options for password in fortigate,
> please try to disable them until you get authentication working.
>
> Best Regards,
>  Sami
>
> On 02/20/2014 12:42 AM, Chad Roseburg wrote:
> > Thanks Heikki ~ there is an option to change the authentication scheme. I
> > changed it to PAP as you suggest.
> >
> > Now it appears as though the fortigate is sending the password encrypted
> > ...Ex:
> >
> > Test credentials:
> > user: 29030pretend
> > pass: gulash
> >
> > Server output excerpt:
> > DEBUG: SIP2 send '2300020140219    141804AO|AA29030pretend|ACterminal
> > password|AD�$.%�6Է!H�'
> >
> > In looking at the docs, I see several encryption/decrypt options ...what
> do
> > I include in my config to allow Radiator to decrypt
> > this password?
> >
> > Thank you!
> >
> > Chad
> >
> >
> >
> >
> >
> > On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen <hvn at open.com.au>
> wrote:
> >
> >> On 02/15/2014 02:42 AM, Chad Roseburg wrote:
> >>> I have an evaluation version of Radiator 4.12.1. I need to set up a web
> >>> captive portal on a Fortigate 60D that uses SIP2 authentication.
> >>>
> >>> The SIP2 part works ...tests successful:
> >>
> >> Hello Chad,
> >>
> >> radpwtst uses PAP with the options you have specified and sends
> >> User-Password which can be then used with AuthBy SIP2.
> >>
> >> However, it looks like the Fortigate is trying to do MS-CHAP instead of
> >> PAP. With MS-CHAP there is not password, only a challenge and response,
> >> and for this reason it does not work.
> >>
> >> Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is
> >> tried. There should be a MS-CHAP-Response too with the attributes, but
> >> maybe you have left that out. These two attributes are used by MS-CHAP.
> >>
> >> See if there's 'Authentication Scheme', I think this is the option in
> >> Fortigate, or something similar that has been set to MS-CHAP or defaults
> >> to MS-CHAP. There should be an option to switch it to PAP.
> >>
> >> Please let us know if the above helps.
> >>
> >> Thanks,
> >> Heikki
> >>
> >>
> >>> Ex.
> >>> perl radpwtst -noacct -user 29030pretend -password secrets
> >>> sending Access-Request...
> >>> OK
> >>>
> >>> On RADIUS server I see:
> >>> -------------------------------------
> >>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214
> >>>  160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|'
> >>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24              00020140214
> >>>    160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|'
> >>> Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: :
> 29030pretend
> >>> [29030pretend]
> >>> Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT
> >>>
> >>> But the second part is that I need to connect the fortigate to the
> >>> RADIUS server. I add the fortigate as a client in the config using IP
> >>> and a 'Secret'
> >>>
> >>> Here's some edited output when I test from the fortigate using the same
> >>> creds:
> >>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214
> >>>  162344AONCRL|AA29030pretend|ACterminal password|AD|'
> >>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24              00020140214
> >>>    162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|'
> >>> Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password:
> >>> 29030002429839 [29030002429839]
> >>> Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad
> password
> >>>
> >>> It looks like it's not sending the password. Also, at the top of the
> >>> transmission there's mention of a MS-CHAP-Challenge:
> >>> Attributes:
> >>>         NAS-Identifier = "Fortinet_RTR"
> >>>         MS-CHAP-Challenge =
> >>> b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M
> >>>         Acct-Session-Id = "00000021"
> >>>         Connect-Info = "test"
> >>>         Fortinet-Vdom-Name = "root"
> >>>
> >>> This is the Client config:
> >>> <Client 192.x.x.99>
> >>>         Secret  secretspass
> >>>         DupInterval 0
> >>> </Client>
> >>>
> >>> Thanks for any advice!
> >>>
> >>> --
> >>> Chad
> >>>
> >>>
> >>> _______________________________________________
> >>> radiator mailing list
> >>> radiator at open.com.au
> >>> http://www.open.com.au/mailman/listinfo/radiator
> >>>
> >>
> >>
> >> --
> >> Heikki Vatiainen <hvn at open.com.au>
> >>
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> >> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> >> NetWare etc.
> >> _______________________________________________
> >> radiator mailing list
> >> radiator at open.com.au
> >> http://www.open.com.au/mailman/listinfo/radiator
> >>
> >
> >
> >
> >
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> >
>
>
> --
> Sami Keski-Kasari <samikk at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator




-- 
Chad Roseburg
Automation Dept.
North Central Regional Library
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140220/0edea84f/attachment-0001.html

More information about the radiator mailing list