[RADIATOR] User Auth settings: Netgear AP + Radiator
Sami Keski-Kasari
samikk at open.com.au
Mon Mar 9 08:04:03 CDT 2015
Hello Thomas,
Your configuration should be fine.
radpwtst does not support PEAP. You can use for example eapol_test that
is part of wpa_supplicant to test PEAP/EAP-TTLS authentication from
command line.
MSHCAPv2 requires that user password is available in cleartext or
NT-HASH format. So for example this entry in users file should work:
mikem User-Password="fred"
Can you test with eapol_test or with real device with Netgear AP?
Best Regards,
Sami
On 03/06/2015 07:46 PM, Thomas Kurian wrote:
> Dear Heikki,
> Thanks for your support and guidance.
> I have modified my radius.cfg as advised in your following email , but
> still Access-Request results as No-Reply. Please note that I have used
> the same EAP certificates from the (goodies->certificates) folder .
>
> I tried the following radpwtst :
>
> 1. radpwtst -s 192.168.0.217 -secret xxxxx -trace 4 -auth_port 1812
> 2. radpwtst -s 192.168.0.217 -secret xxxxx -trace 4 -auth_port 1812
> -user mikem -password fred
> 3. radpwtst -s 192.168.0.217 -secret xxxxx -trace 4 -auth_port 1812
> -user User -password clientPass
>
> Please advise the specific 'user and password' format to be defined in
> the users file to the tested for authentication using radpwtst for our
> radius.cfg . Please also advise the recommended radpwtst to be performed
> as the above mentioned is still providing No-Reply to the Access-Request.
>
> There is network connectivity between our radiator and Netgear AP
> (ping). Kindly check my following configuration and advise on how to
> proceed.
>
> #Foreground
> #LogStdout
>
> AcctPort 1813
> AuthPort 1812
>
> LogDir /var/log/radius
> DbDir /etc/radiator
> DictionaryFile /etc/radiator/dictionary
>
> Trace 4
>
> <Client DEFAULT>
> Secret xxxxx
> DupInterval 0
> </Client>
>
> # Our Netgear AP for testing
> <Client 192.168.0.217>
> Secret xxxxx
> DupInterval 0
> </Client>
>
> <AuthLog FILE>
> Identifier myauthlogger
> Filename %L/authlog
> LogSuccess 1
> LogFailure 1
> </AuthLog>
>
> <Handler Request-Type="Access-Request",TunnelledByPEAP=1>
> Identifier EAP-MSCHAP-V2
> <AuthBy FILE>
> Filename /etc/radiator/users
>
> # This tells the PEAP client what types of inner EAP requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
>
> # Log authentication success and failure to the a file
> AuthLog myauthlogger
>
> # PostAuthHook
> file:"/root/Desktop/Radiator-Locked-4.14/goodies/eap_anon_hook.pl"
> </Handler>
>
> <Handler Request-Type="Access-Request">
> Identifier EAP-PEAP
> <AuthBy FILE>
> Filename %D/users
>
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
>
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
> AuthLog myauthlogger
>
> #PreProcessingHook
> file:"/root/Desktop/Radiator-Locked-4.14/goodies/eap_anon_hook.pl"
> AcctLogFileName /etc/radiator/detail
> </Handler>
>
>
>
>
> Best Regards,
>
> Thomas Kurian
> Information Security Engineer,Pre-Sales.
> Kuwaiti Canadian Consulting Group (www.kccg.com)
> T: +965 22435566
> F: +965 22415149
> E: thomas at kccg.com
>
>
>
>
> Subject: radiator Digest, Vol 70, Issue 3
> Date: Mon, 02 Mar 2015 12:00:01 -0600
> From: radiator-request at open.com.au
> Reply-To: radiator at open.com.au
> To: radiator at open.com.au
>
>
>
>
> Message: 2
> Date: Mon, 02 Mar 2015 17:23:00 +0200
> From: Heikki Vatiainen <hvn at open.com.au>
> Subject: Re: [RADIATOR] User Auth settings: Netgear AP + Radiator
> To: radiator at open.com.au
> Message-ID: <54F48054.6070602 at open.com.au>
> Content-Type: text/plain; charset=windows-1252
>
> On 02/28/2015 12:11 PM, Thomas Kurian wrote:
>
>> We want to make our wifi users connecting via Netgear wnr2000v3 wireless
>> router, to authenticate using radiator RADIUS server (172.16.0.205).
>> Please let me know what more need to be done further to our following
>> radius.cfg & default users file in order to ensure our wifi users get
>> forced to authenticate with our radiator server.
>
> Please see goodies/eap_peap.cfg for PEAP example. PEAP is one of the
> protocols WPA/WPA2 Enterprise uses.
>
>> Also please advise if it is radiator's /var/log/radius/logfile the only
>> place to test & check if the authentication is happening, once the user
>> connects via the router using the credentials mentioned in radiator's
>> user file?
>
> You can configure <AuthLog ...>, for example, AuthLog FILE to log
> authentication success and failure events. See goodies/authlog.cfg for
> an example.
>
> The Radiator logfile is useful for debugging and monitoring for errors,
> but AuthLog logs just authentication events.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
>
> ------------------------------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
> End of radiator Digest, Vol 70, Issue 3
> ***************************************
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list