[RADIATOR] EAP-TTLS, MSCHAPV2 - Bad Password

bryce at truespeed.ca bryce at truespeed.ca
Fri Oct 14 12:32:02 CDT 2016


Hello,

 

We are setting up test Wireless network so that our client radio will
authenticate against our Platypus database.  The issue is that our client
radios are being rejected with a Bad Password message (We have checked and
the passwords are correct).  But if we set up radius so that the client
radio authenticates against a flat file (WifiClients), it works.  One thing
that I have noticed in our Failure log is that the bad password isn't shown.
I have pasted my config below and attached it along with part of our logfile
and Failurelog.

 

We are using Radiator version 4.16

We are using Ubiquiti PowerBeams and NanoBeams in our test network.

 

 

LogDir                   /var/log/radius

DbDir                     /etc/radiator

AuthPort 1645,1812

AcctPort 1646,1813

 

Trace                     4

 

#####################################################

##                NAS Client IPs                   ##

#####################################################           

 

##Test NAS for Wireless

<Client xxx.xx.x.xxx>

                Secret xxxxx

                Identifier AP

                DupInterval 0

</Client>

 

#####################################################

##                Authorization                    ##

#####################################################

 

#Authorization Using Flat File

<AuthBy FILE>

        Identifier      WifiClients

        Filename        /etc/radiator/WifiClients

</AuthBy>

 

#Authorization using Radius Application

<AuthBy FREERADIUSSQL>

                Identifier        CheckPLATYPUS

                DBSource          dbi:Sybase:Platypus

                DBUsername        xxxxxxx

                DBAuth            xxxxxxx

 

AuthCheck          SELECT id,UserName,case Attribute when
'Cleartext-Password' then 'User-Password' else Attribute end,Value,op FROM
freeradius_service_radcheck WHERE Username = ? ORDER BY id

AuthReply           SELECT id,UserName,Attribute,Value,op FROM
freeradius_service_radreply WHERE Username = ? ORDER BY id

AuthGroupCheck             SELECT
freeradius_service_radgroupcheck.id,freeradius_service_radgroupcheck.GroupNa
me,freeradius_service_radgroupcheck.Attribute,freeradius_service_radgroupche
ck.Value,freeradius_service_radgroupcheck.op FROM
freeradius_service_radgroupcheck,freeradius_service_radusergroup WHERE
freeradius_service_radusergroup.Username = ? AND
freeradius_service_radusergroup.GroupName =
freeradius_service_radgroupcheck.GroupName ORDER BY
freeradius_service_radgroupcheck.id

AuthGroupReply              SELECT
freeradius_service_radgroupreply.id,freeradius_service_radgroupreply.GroupNa
me,freeradius_service_radgroupreply.Attribute,freeradius_service_radgrouprep
ly.Value,freeradius_service_radgroupreply.op FROM
freeradius_service_radgroupreply,freeradius_service_radusergroup WHERE
freeradius_service_radusergroup.Username = ? AND
freeradius_service_radusergroup.GroupName =
freeradius_service_radgroupreply.GroupName ORDER BY
freeradius_service_radgroupreply.id

                                

AcctStartQuery INSERT into freeradius_service_radacct (AcctSessionId,
AcctUniqueId, UserName, GroupName, Realm, NASIPAddress, NASPort,
NASPortType, AcctStartTime, AcctStopTime,AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay,
XAscendSessionSvrKey) VALUES('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', %0, null, '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%J', '1900-01-01 00:00:00', '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0', null)

AcctUpdateQuery           UPDATE freeradius_service_radacct SET
FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime =
'%{Acct-Session-Time}', AcctInputOctets = cast(((0%{Acct-Input-Gigawords} *
4294967296) + %{Acct-Input-Octets}) as numeric(18,0)), AcctOutputOctets =
cast(((0%{Acct-Output-Gigawords} * 4294967296) + %{Acct-Output-Octets}) as
numeric(18,0)) WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0
AND NASIPAddress= '%{NAS-IP-Address}'

AcctStopQuery UPDATE freeradius_service_radacct SET AcctStopTime = '%J',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets}) as
numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords} *
4294967296) + %{Acct-Output-Octets}) as numeric(18,0)), AcctTerminateCause =
'%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}',
ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName = %0 AND NASIPAddress =
'%{NAS-IP-Address}'

</AuthBy>

 

#####################################################

##         Access-Request - Handler Requests       ##

#####################################################

 

#Authorize Clients by Billing System - Platypus - Wireless

<Handler Request-Type = Access-Request, Realm=myisp.ca,
Client-Identifier=AP, TunnelledByTTLS=1>

RewriteUsername s/^(.*)\\(.*)/$2\@$1/

RewriteUsername s/^(.*)\/(.*)/$2\@$1/

RewriteUsername s/^([^@]+).*/$1/

RewriteUsername s/(.*)/$1\@dsl.myisp.ca/

RewriteUsername tr/A-Z/a-z/

RewriteUsername s/\s+//g

PreProcessingHook sub { my $p = ${$_[0]};\

           if ($p->code() eq 'Accounting-Request'){\

           my $key = $p->get_attr('User-Name') . ',' \

                 . $p->get_attr('Acct-Session-Id') . ',' \

                 . $p->get_attr('NAS-IP-Address') . ',' \

                 . $p->get_attr('NAS-Port');\

           my $hash = Digest::MD5::md5_hex($key);\

           $p->add_attr('Acct-Unique-Session-Id', $hash);\

           }}

AuthByPolicy ContinueUntilAccept

AuthBy CheckPLATYPUS

AuthLog Logger

Authlog Syslog

AuthLog AuthSyslog

</Handler>

 

#Authorize Clients by Flat File - ClientFile

<Handler Request-Type = Access-Request, Realm=myisp.ca>

AuthByPolicy ContinueUntilAccept

AuthBy WifiClients

AuthLog Logger

AuthLog Syslog

AuthLog AuthSyslog

</Handler>

 

##  Outter Handler  ##

<Handler Request-Type = Access-Request, Realm=some.other.realm>

       <AuthBy FILE>

                Filename /etc/radius/anuser

                EAPType TTLS, TLS, MSCHAP-V2, PEAP

                EAPTLS_CAFile
/usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem

                EAPTLS_CertificateFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem

                EAPTLS_CertificateType PEM

                EAPTLS_PrivateKeyFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem

                EAPTLS_PrivateKeyPassword whatever

                EAPTLS_MaxFragmentSize 1000

                AutoMPPEKeys

                EAPAnonymous anonymous at some.other.realm

        </AuthBy>

</Handler>

 

Thanks,

 

Bryce.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 5955 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0003.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Failurelog.log
Type: application/octet-stream
Size: 1232 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0004.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile.log
Type: application/octet-stream
Size: 3397 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0005.obj 


More information about the radiator mailing list