[RADIATOR] PEAP and Kerberos?
Hirayama, Pat
phirayam at fredhutch.org
Sat Jun 17 22:05:20 UTC 2023
Greetings,
We had our FreeIPA configuration implode a while back, so the decision was made to switch our Linux servers to using realm and sssd for authentication. No real issues until they switched the server that Radiator was running on, which broke wireless authentication:
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for adoe2: EAP MSCHAP-V2 Authentication failure
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for adoe2: PEAP Authentication Failure
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'adoe2': The specified account does not exist.
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:15 2023: wifi: FAIL: adoe2: adoe2: 140.107.6.10: cf-wlc: Access-Request: a4-83-e7-58-60-75: a0-93-51-a9-fc-c0:Marconi
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:15 2023: wifi: FAIL: adoe2: adoe2: : cf-wlc: Access-Request: a4-83-e7-58-60-75:
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for jdoe: EAP MSCHAP-V2 Authentication failure
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for jdoe: PEAP Authentication Failure
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'jdoe': The specified account does not exist.
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:16 2023: wifi: FAIL: jdoe: jdoe: 140.107.6.10: cf-wlc: Access-Request: 3c-22-fb-e2-d1-70: 68-3b-78-d6-5c-20:Marconi
Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:16 2023: wifi: FAIL: jdoe: jdoe: : cf-wlc: Access-Request: 3c-22-fb-e2-d1-70:
Jun 17 14:01:17 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'jsmith': The specified account does not exist.
So, I logged in to see what changes were made and concluded that switching to realm / sssd meant that since our wifi was using PEAP and AuthBy NTLM .... that wouldn't work any longer. Anyway, I reverted to the previous configuration (snapshots are great). So, the immediate problem is solved.
The real question -- can I redo my PEAP configuration to work with Kerberos? Looking at the samples in goodies, I see krb5.conf, but it contains:
# Works with RADIUS-PAP, TTLS-PAP.
I see the heimdal config, but am not sure how that relates to Kerberos. Can I refashion that to work with my AD?
Handler section from my radiator config:
#####################################################################
# Handlers
#####################################################################
#
#### Wireless Clients using PEAP #####
# The most popular method, suported by default by Windows. Does not require a client-side cert and is thus considered less secure
# than EAP-TLS
<Handler TunnelledByPEAP=1>
RejectHasReason
AuthLog wifi-authlog
<AuthBy NTLM>
include /etc/radiator/eap.txt
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Domain XXXXX
DefaultDomain XXXXX
EAPType MSCHAP-V2
</AuthBy>
</Handler>
#### Outer Handler #####
# When clients check the 'Validate Server Certificate' (or equivalent), then this stanza plays a key role
<Handler>
AuthByPolicy ContinueUntilAccept
AuthLog wifi-authlog
RejectHasReason
<AuthBy FILE>
Filename %D/users.anonymous
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
include /etc/radiator/eap.txt
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyPassword everwhat
EAPTLS_MaxFragmentSize 1024
EAPTLS_SecurityLevel 1
EAPTLS_Ciphers DEFAULT at SECLEVEL=1
EAPTLS_Protocols TLSv1, TLSv1.1, TLSv1.2
EAPAnonymous %0
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</Handler>
Any help or hints would be greatly appreciated.
Thank you!
-p
Pat Hirayama
Pronouns: he/him/his
Systems Engineer
IT | Systems Engineering
Fred Hutchinson Cancer Center
O 206.667.4856
phirayam at fredhutch.org<mailto:phirayam at fredhutch.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230617/3151775e/attachment-0001.html>
More information about the radiator
mailing list