[RADIATOR] EAP-TTLS, MSCHAPV2 - Bad Password

Sami Keski-Kasari samikk at open.com.au
Mon Oct 17 05:12:01 CDT 2016


Hello Bryce,

If you are using MSCHAPv2 inside EAP-TTLS, you are not allowed to 
rewrite username since username field is part of password calculation.

Also if you are using MSHCAPv2, then NAS does not send clear text 
password so Radiator is not able to log it.

Best Regards,

Sami


On 14/10/16 20:32, bryce at truespeed.ca wrote:
>
> Hello,
>
> We are setting up test Wireless network so that our client radio will 
> authenticate against our Platypus database.  The issue is that our 
> client radios are being rejected with a Bad Password message (We have 
> checked and the passwords are correct).  But if we set up radius so 
> that the client radio authenticates against a flat file (WifiClients), 
> it works.  One thing that I have noticed in our Failure log is that 
> the bad password isn’t shown.  I have pasted my config below and 
> attached it along with part of our logfile and Failurelog.
>
> We are using Radiator version 4.16
>
> We are using Ubiquiti PowerBeams and NanoBeams in our test network.
>
> LogDir                   /var/log/radius
>
> DbDir                     /etc/radiator
>
> AuthPort 1645,1812
>
> AcctPort 1646,1813
>
> Trace                     4
>
> #####################################################
>
> ##                NAS Client IPs                   ##
>
> #####################################################
>
> ##Test NAS for Wireless
>
> <Client xxx.xx.x.xxx>
>
>                 Secret xxxxx
>
>                 Identifier AP
>
>                 DupInterval 0
>
> </Client>
>
> #####################################################
>
> ## Authorization                    ##
>
> #####################################################
>
> #Authorization Using Flat File
>
> <AuthBy FILE>
>
>         Identifier      WifiClients
>
>         Filename /etc/radiator/WifiClients
>
> </AuthBy>
>
> #Authorization using Radius Application
>
> <AuthBy FREERADIUSSQL>
>
>                 Identifier CheckPLATYPUS
>
>                 DBSource          dbi:Sybase:Platypus
>
>                 DBUsername        xxxxxxx
>
>                 DBAuth            xxxxxxx
>
> AuthCheck          SELECT id,UserName,case Attribute when 
> 'Cleartext-Password' then 'User-Password' else Attribute end,Value,op 
> FROM freeradius_service_radcheck WHERE Username = ? ORDER BY id
>
> AuthReply           SELECT id,UserName,Attribute,Value,op FROM 
> freeradius_service_radreply WHERE Username = ? ORDER BY id
>
> AuthGroupCheck             SELECT 
> freeradius_service_radgroupcheck.id,freeradius_service_radgroupcheck.GroupName,freeradius_service_radgroupcheck.Attribute,freeradius_service_radgroupcheck.Value,freeradius_service_radgroupcheck.op 
> FROM freeradius_service_radgroupcheck,freeradius_service_radusergroup 
> WHERE freeradius_service_radusergroup.Username = ? AND 
> freeradius_service_radusergroup.GroupName = 
> freeradius_service_radgroupcheck.GroupName ORDER BY 
> freeradius_service_radgroupcheck.id
>
> AuthGroupReply              SELECT 
> freeradius_service_radgroupreply.id,freeradius_service_radgroupreply.GroupName,freeradius_service_radgroupreply.Attribute,freeradius_service_radgroupreply.Value,freeradius_service_radgroupreply.op 
> FROM freeradius_service_radgroupreply,freeradius_service_radusergroup 
> WHERE freeradius_service_radusergroup.Username = ? AND 
> freeradius_service_radusergroup.GroupName = 
> freeradius_service_radgroupreply.GroupName ORDER BY 
> freeradius_service_radgroupreply.id
>
> AcctStartQuery INSERT into freeradius_service_radacct (AcctSessionId, 
> AcctUniqueId, UserName, GroupName, Realm, NASIPAddress, NASPort, 
> NASPortType, AcctStartTime, AcctStopTime,AcctSessionTime, 
> AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, 
> AcctOutputOctets, CalledStationId, CallingStationId, 
> AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
> AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey) 
> VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', %0, null, 
> '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', 
> '%J', '1900-01-01 00:00:00', '0', '%{Acct-Authentic}', 
> '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '', '', 
> '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', 
> '%{Acct-Delay-Time}', '0', null)
>
> AcctUpdateQuery           UPDATE freeradius_service_radacct SET 
> FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = 
> '%{Acct-Session-Time}', AcctInputOctets = 
> cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets}) 
> as numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords} 
> * 4294967296) + %{Acct-Output-Octets}) as numeric(18,0)) WHERE 
> AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0 AND 
> NASIPAddress= '%{NAS-IP-Address}'
>
> AcctStopQuery UPDATE freeradius_service_radacct SET AcctStopTime = 
> '%J', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = 
> cast(((0%{Acct-Input-Gigawords} * 4294967296) + %{Acct-Input-Octets}) 
> as numeric(18,0)), AcctOutputOctets = cast(((0%{Acct-Output-Gigawords} 
> * 4294967296) + %{Acct-Output-Octets}) as numeric(18,0)), 
> AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 
> '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE 
> AcctSessionId = '%{Acct-Session-Id}' AND UserName = %0 AND 
> NASIPAddress = '%{NAS-IP-Address}'
>
> </AuthBy>
>
> #####################################################
>
> ##         Access-Request - Handler Requests       ##
>
> #####################################################
>
> #Authorize Clients by Billing System - Platypus - Wireless
>
> <Handler Request-Type = Access-Request, Realm=myisp.ca, 
> Client-Identifier=AP, TunnelledByTTLS=1>
>
> RewriteUsername s/^(.*)\\(.*)/$2\@$1/
>
> RewriteUsername s/^(.*)\/(.*)/$2\@$1/
>
> RewriteUsername s/^([^@]+).*/$1/
>
> RewriteUsername s/(.*)/$1\@dsl.myisp.ca/
>
> RewriteUsername tr/A-Z/a-z/
>
> RewriteUsername s/\s+//g
>
> PreProcessingHook sub { my $p = ${$_[0]};\
>
>            if ($p->code() eq 'Accounting-Request'){\
>
>            my $key = $p->get_attr('User-Name') . ',' \
>
>                  . $p->get_attr('Acct-Session-Id') . ',' \
>
>                  . $p->get_attr('NAS-IP-Address') . ',' \
>
>                  . $p->get_attr('NAS-Port');\
>
>            my $hash = Digest::MD5::md5_hex($key);\
>
> $p->add_attr('Acct-Unique-Session-Id', $hash);\
>
>            }}
>
> AuthByPolicy ContinueUntilAccept
>
> AuthBy CheckPLATYPUS
>
> AuthLog Logger
>
> Authlog Syslog
>
> AuthLog AuthSyslog
>
> </Handler>
>
> #Authorize Clients by Flat File - ClientFile
>
> <Handler Request-Type = Access-Request, Realm=myisp.ca>
>
> AuthByPolicy ContinueUntilAccept
>
> AuthBy WifiClients
>
> AuthLog Logger
>
> AuthLog Syslog
>
> AuthLog AuthSyslog
>
> </Handler>
>
> ##  Outter Handler  ##
>
> <Handler Request-Type = Access-Request, Realm=some.other.realm>
>
>        <AuthBy FILE>
>
>                 Filename /etc/radius/anuser
>
>                 EAPType TTLS, TLS, MSCHAP-V2, PEAP
>
>                 EAPTLS_CAFile 
> /usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
>
>                 EAPTLS_CertificateFile 
> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>
>                 EAPTLS_CertificateType PEM
>
>                 EAPTLS_PrivateKeyFile 
> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>
>                 EAPTLS_PrivateKeyPassword whatever
>
>                 EAPTLS_MaxFragmentSize 1000
>
>                 AutoMPPEKeys
>
>                 EAPAnonymous anonymous at some.other.realm
>
>         </AuthBy>
>
> </Handler>
>
> Thanks,
>
> Bryce.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20161017/a801cc21/attachment.html 


More information about the radiator mailing list