[RADIATOR] EAP-TTLS, MSCHAPV2 - Bad Password
bryce at truespeed.ca
bryce at truespeed.ca
Fri Oct 14 12:32:02 CDT 2016
Hello,
We are setting up test Wireless network so that our client radio will
authenticate against our Platypus database. The issue is that our client
radios are being rejected with a Bad Password message (We have checked and
the passwords are correct). But if we set up radius so that the client
radio authenticates against a flat file (WifiClients), it works. One thing
that I have noticed in our Failure log is that the bad password isn't shown.
I have pasted my config below and attached it along with part of our logfile
and Failurelog.
We are using Radiator version 4.16
We are using Ubiquiti PowerBeams and NanoBeams in our test network.
LogDir /var/log/radius
DbDir /etc/radiator
AuthPort 1645,1812
AcctPort 1646,1813
Trace 4
#####################################################
## NAS Client IPs ##
#####################################################
##Test NAS for Wireless
<Client xxx.xx.x.xxx>
Secret xxxxx
Identifier AP
DupInterval 0
</Client>
#####################################################
## Authorization ##
#####################################################
#Authorization Using Flat File
<AuthBy FILE>
Identifier WifiClients
Filename /etc/radiator/WifiClients
</AuthBy>
#Authorization using Radius Application
<AuthBy FREERADIUSSQL>
Identifier CheckPLATYPUS
DBSource dbi:Sybase:Platypus
DBUsername xxxxxxx
DBAuth xxxxxxx
AuthCheck SELECT id,UserName,case Attribute when
'Cleartext-Password' then 'User-Password' else Attribute end,Value,op FROM
freeradius_service_radcheck WHERE Username = ? ORDER BY id
AuthReply SELECT id,UserName,Attribute,Value,op FROM
freeradius_service_radreply WHERE Username = ? ORDER BY id
AuthGroupCheck SELECT
freeradius_service_radgroupcheck.id,freeradius_service_radgroupcheck.GroupNa
me,freeradius_service_radgroupcheck.Attribute,freeradius_service_radgroupche
ck.Value,freeradius_service_radgroupcheck.op FROM
freeradius_service_radgroupcheck,freeradius_service_radusergroup WHERE
freeradius_service_radusergroup.Username = ? AND
freeradius_service_radusergroup.GroupName =
freeradius_service_radgroupcheck.GroupName ORDER BY
freeradius_service_radgroupcheck.id
AuthGroupReply SELECT
freeradius_service_radgroupreply.id,freeradius_service_radgroupreply.GroupNa
me,freeradius_service_radgroupreply.Attribute,freeradius_service_radgrouprep
ly.Value,freeradius_service_radgroupreply.op FROM
freeradius_service_radgroupreply,freeradius_service_radusergroup WHERE
freeradius_service_radusergroup.Username = ? AND
freeradius_service_radusergroup.GroupName =
freeradius_service_radgroupreply.GroupName ORDER BY
freeradius_service_radgroupreply.id
AcctStartQuery INSERT into freeradius_service_radacct (AcctSessionId,
AcctUniqueId, UserName, GroupName, Realm, NASIPAddress, NASPort,
NASPortType, AcctStartTime, AcctStopTime,AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay,
XAscendSessionSvrKey) VALUES('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', %0, null, '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%J', '1900-01-01 00:00:00', '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0', null)
AcctUpdateQuery UPDATE freeradius_service_radacct SET
FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime =
'%{Acct-Session-Time}', AcctInputOctets = cast(((0%{Acct-Input-Gigawords} *
4294967296) + %{Acct-Input-Octets}) as numeric(18,0)), AcctOutputOctets =
cast(((0%{Acct-Output-Gigawords} * 4294967296) + %{Acct-Output-Octets}) as
numeric(18,0)) WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0
AND NASIPAddress= '%{NAS-IP-Address}'
AcctStopQuery UPDATE freeradius_service_radacct SET AcctStopTime = '%J',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets}) as
numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords} *
4294967296) + %{Acct-Output-Octets}) as numeric(18,0)), AcctTerminateCause =
'%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}',
ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName = %0 AND NASIPAddress =
'%{NAS-IP-Address}'
</AuthBy>
#####################################################
## Access-Request - Handler Requests ##
#####################################################
#Authorize Clients by Billing System - Platypus - Wireless
<Handler Request-Type = Access-Request, Realm=myisp.ca,
Client-Identifier=AP, TunnelledByTTLS=1>
RewriteUsername s/^(.*)\\(.*)/$2\@$1/
RewriteUsername s/^(.*)\/(.*)/$2\@$1/
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/(.*)/$1\@dsl.myisp.ca/
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/\s+//g
PreProcessingHook sub { my $p = ${$_[0]};\
if ($p->code() eq 'Accounting-Request'){\
my $key = $p->get_attr('User-Name') . ',' \
. $p->get_attr('Acct-Session-Id') . ',' \
. $p->get_attr('NAS-IP-Address') . ',' \
. $p->get_attr('NAS-Port');\
my $hash = Digest::MD5::md5_hex($key);\
$p->add_attr('Acct-Unique-Session-Id', $hash);\
}}
AuthByPolicy ContinueUntilAccept
AuthBy CheckPLATYPUS
AuthLog Logger
Authlog Syslog
AuthLog AuthSyslog
</Handler>
#Authorize Clients by Flat File - ClientFile
<Handler Request-Type = Access-Request, Realm=myisp.ca>
AuthByPolicy ContinueUntilAccept
AuthBy WifiClients
AuthLog Logger
AuthLog Syslog
AuthLog AuthSyslog
</Handler>
## Outter Handler ##
<Handler Request-Type = Access-Request, Realm=some.other.realm>
<AuthBy FILE>
Filename /etc/radius/anuser
EAPType TTLS, TLS, MSCHAP-V2, PEAP
EAPTLS_CAFile
/usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
EAPAnonymous anonymous at some.other.realm
</AuthBy>
</Handler>
Thanks,
Bryce.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 5955 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0003.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Failurelog.log
Type: application/octet-stream
Size: 1232 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0004.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile.log
Type: application/octet-stream
Size: 3397 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20161014/13d09758/attachment-0005.obj
More information about the radiator
mailing list