Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest.
Now it appears as though the fortigate is sending the password encrypted ...Ex: Test credentials: user: 29030pretend pass: gulash Server output excerpt: DEBUG: SIP2 send '2300020140219 141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�' In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt this password? Thank you! Chad On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen <h...@open.com.au> wrote: > On 02/15/2014 02:42 AM, Chad Roseburg wrote: > > I have an evaluation version of Radiator 4.12.1. I need to set up a web > > captive portal on a Fortigate 60D that uses SIP2 authentication. > > > > The SIP2 part works ...tests successful: > > Hello Chad, > > radpwtst uses PAP with the options you have specified and sends > User-Password which can be then used with AuthBy SIP2. > > However, it looks like the Fortigate is trying to do MS-CHAP instead of > PAP. With MS-CHAP there is not password, only a challenge and response, > and for this reason it does not work. > > Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is > tried. There should be a MS-CHAP-Response too with the attributes, but > maybe you have left that out. These two attributes are used by MS-CHAP. > > See if there's 'Authentication Scheme', I think this is the option in > Fortigate, or something similar that has been set to MS-CHAP or defaults > to MS-CHAP. There should be an option to switch it to PAP. > > Please let us know if the above helps. > > Thanks, > Heikki > > > > Ex. > > perl radpwtst -noacct -user 29030pretend -password secrets > > sending Access-Request... > > OK > > > > On RADIUS server I see: > > ------------------------------------- > > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 > > 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' > > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 > > 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' > > Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend > > [29030pretend] > > Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT > > > > But the second part is that I need to connect the fortigate to the > > RADIUS server. I add the fortigate as a client in the config using IP > > and a 'Secret' > > > > Here's some edited output when I test from the fortigate using the same > > creds: > > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 > > 162344AONCRL|AA29030pretend|ACterminal password|AD|' > > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 > > 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' > > Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: > > 29030002429839 [29030002429839] > > Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password > > > > It looks like it's not sending the password. Also, at the top of the > > transmission there's mention of a MS-CHAP-Challenge: > > Attributes: > > NAS-Identifier = "Fortinet_RTR" > > MS-CHAP-Challenge = > > b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M > > Acct-Session-Id = "00000021" > > Connect-Info = "test" > > Fortinet-Vdom-Name = "root" > > > > This is the Client config: > > <Client 192.x.x.99> > > Secret secretspass > > DupInterval 0 > > </Client> > > > > Thanks for any advice! > > > > -- > > Chad > > > > > > _______________________________________________ > > radiator mailing list > > radiator@open.com.au > > http://www.open.com.au/mailman/listinfo/radiator > > > > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Chad Roseburg Automation Dept. North Central Regional Library
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator