[RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

Christopher Chance cchance at newtechgrp.com
Thu Jul 24 00:45:04 CDT 2014


How does this differ from what I'm already doing.... The primary domains working the secondary domain is getting a response from the other radius after the second radius polls NTLM...it responds with an access accept but for some reason the main server gets the accept but then the eap challenge somehow doesnt work...


Sent from my Windows Phone
________________________________
From: Hugh Irvine<mailto:hugh at open.com.au>
Sent: ‎7/‎23/‎2014 9:45 PM
To: Christopher Chance<mailto:cchance at newtechgrp.com>
Cc: radiator at open.com.au<mailto:radiator at open.com.au>
Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)


Hello Chris -

OK - this is what I had imagined.

What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS.

In this case the inner requests are just straight MSCHAP-V2.

Something like this:


Foreground
LogStdout
LogDir /etc/radiator/log/
DbDir /etc/radiator
PidFile %L/radiusd.pid
DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus
Trace 4
AuthPort 1812
AcctPort 1813

<Client 192.168.125.20>
        Secret xxxxxxxxxxx
        Identifier Ruckus
</Client>

<Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/>
        <AuthBy RADIUS>
                StripFromRequest ConvertedFromEAPMSCHAPV2
                Host ….
                Secret ….
                AuthPort …..
                AcctPort …..
                AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  Tunnel-Private-Group-ID=52
        </AuthBy>
</Handler>

<Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/>
        <AuthBy RADIUS>
                StripFromRequest ConvertedFromEAPMSCHAPV2
                Host …..
                Secret ….
                AuthPort …..
                AcctPort …..
                AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  Tunnel-Private-Group-ID=52
        </AuthBy>
</Handler>

# this proxies to the machine that can then proxy to OTHERSITE NPS
# strongly suggest you don’t use Synchronous

<Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/>
        <AuthBy RADIUS>
                StripFromRequest ConvertedFromEAPMSCHAPV2
                Host 192.168.125.236
                Secret xxxxxxxxx
                AuthPort 1812
                AcctPort 1813
                Retries 2
                AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  Tunnel-Private-Group-ID=nn
        </AuthBy>
</Handler>

<Handler TunnelledByPEAP=1>
        <AuthBy FILE>
                EAPType MSCHAP-V2
                EAP_PEAP_MSCHAP_Convert 1
        </AuthBy>
</Handler>

<Handler Client-Identifier = Ruckus>
            <AuthBy FILE>
              CachePasswordExpiry 3600
              Filename %D/users_anon
              EAPType PEAP,TLS,TTLS
              EAPTLS_PrivateKeyPassword whatever
              EAPTLS_CAFile /etc/radiator/certs/ca.pem
              EAPTLS_CertificateFile /etc/radiator/certs/server.pem
              EAPTLS_CertificateType PEM
              EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem
              EAPTLS_PEAPVersion 0
              EAPTTLS_NoAckRequired
              UsernameMatchesWithoutRealm
              AutoMPPEKeys
            </AuthBy>
</Handler>


regards

Hugh


On 24 Jul 2014, at 11:08, Christopher Chance <cchance at newtechgrp.com> wrote:

> 2 domains are on 2 seperate vlans... for authentication i'm filtering it by the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM locally, if the second domain forward to secondary radius that has an interface on domain2 and is part of domain2's domain.
>
> This is being done so that my wireless in my office can accept both logins and sort users to the correct vlan based on their credentials, if a user logs in with Domain1\user then they get sent to Vlan 2 if they get on as domain2\user they login to vlan3 for instance.
>
> we have an office with different companies but want to simplify our wireless (atleast at the user level) so that it is 1 wireless network via wpa2 enterprise (802.1x eaps)... hence how what i'm trying to do above.
>
> Originally i was going to have the main radius server just filter by domains and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt work with mschapv2 i had to go the ntlm way.
>
> And yes the linux version is what we're using as we plan to use the radius for some other things too but windows was giving us some headaches, but thats a different story for a different day.
>
> hope i've explained :S
>
> Chris
> ________________________________________
> From: Hugh Irvine [hugh at open.com.au]
> Sent: Wednesday, July 23, 2014 8:07 PM
> To: Christopher Chance
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
>
> Hello Chris -
>
> Could you please explain in detail what exactly you are trying to accomplish?
>
> It sounds like you are authenticating against Active Directory but you are running Radiator on Linux?
>
> Can you tell us how you differentiate between the 2 domains?
>
> We can make better suggestions if we clearly understand the problem.
>
> regards
>
> Hugh
>
>
> On 24 Jul 2014, at 03:30, Christopher Chance <cchance at newtechgrp.com> wrote:
>
>> Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM authentication….
>>
>> The issue is we have 2 domains on our network and want to be able to have the single 802.1x authentication, sorted by domain authenticate and return the correct vlan for the user... I couldn’t figure a way out to do it with LDAP2 as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever reason… So NTLM I went to, and it works but that meant I had to join the linux server to the domain, and only 1 domain per server.
>>
>> To solve this I followed someone’s recommendation to have a second radius server (vm), that’s on the other domain that just checks domains and the first server will proxy the request to it… simple enough…
>>
>> The issue is it doesn’t work, the secondary radius sends the access-accept but for some reason the main server doesn’t seem to handle the challenge/accept process correctly anymore and the signin process just hangs on the wireless…
>>
>> So now I’m 110% lost and don’t know what else could be the issue…
>>
>> If you can take a look at this and help me out it would be greatly appreciated, as to where I’m going wrong.
>>
>> Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya
>> Login that’s hanging being processed from remote Radius: http://pastebin.com/Lj3MCset
>>
>> Config is http://pastebin.com/UCr2vMdk
>>
>> Thanks,
>> Chris
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140724/e23cb6b6/attachment.html 


More information about the radiator mailing list