You were correct, I did not set up the client stanzas correctly. I got rid of all client stanzas but the DEFAULT and used the secret with the fortigate ....SUCCESS! Thank you!
Here is what I had: <Client DEFAULT> Secret different_secret DupInterval 0 </Client> <Client 192.168.20.99> Secret radius_secret DupInterval 0 </Client> I commented out the second one. Why didn't the second stanza work? Thanks! Chad On Wed, Feb 19, 2014 at 5:49 PM, Hugh Irvine <h...@open.com.au> wrote: > > Hi again - > > Further to this, I am guessing the shared secret between the Fortigate and > the Radiator Client clause is incorrect. > > regards > > Hugh > > > On 20 Feb 2014, at 12:42, Hugh Irvine <h...@open.com.au> wrote: > > > > > Hi Chad - > > > > Can you please send me a copy of your configuration file together with a > trace 4 debug showing what is happening. > > > > Also please include your user definition. > > > > thanks and regards > > > > Hugh > > > > > > > > On 20 Feb 2014, at 11:26, Chad Roseburg <croseb...@ncrl.org> wrote: > > > >> Thanks Hugh, but it is rejecting the password ...sample output: > >> > >> Wed Feb 19 14:18:04 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad passw > >> Wed Feb 19 14:18:04 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad pa > >> > >> We're using SIP2 to authenticate clients. It does work with the > radpwtst, but not fortigate. > >> > >> Suggestions? > >> > >> Chad > >> > >> > >> On Wed, Feb 19, 2014 at 3:51 PM, Hugh Irvine <h...@open.com.au> wrote: > >> > >> Hello Chad - > >> > >> You don’t need to do anything special - Radiator will process the > password automatically. > >> > >> If you are using a flat file for your user records you should add an > entry like this: > >> > >> > >> > >> # flat file user definitions > >> > >> 29030pretend User-Password = gulash > >> > >> > >> > >> hope that helps > >> > >> regards > >> > >> Hugh > >> > >> > >> On 20 Feb 2014, at 09:42, Chad Roseburg <croseb...@ncrl.org> wrote: > >> > >>> Thanks Heikki ~ there is an option to change the authentication > scheme. I changed it to PAP as you suggest. > >>> > >>> Now it appears as though the fortigate is sending the password > encrypted ...Ex: > >>> > >>> Test credentials: > >>> user: 29030pretend > >>> pass: gulash > >>> > >>> Server output excerpt: > >>> DEBUG: SIP2 send '2300020140219 141804AO|AA29030pretend|ACterminal > password|AD�$.%�6Է!H�' > >>> > >>> In looking at the docs, I see several encryption/decrypt options > ...what do I include in my config to allow Radiator to decrypt > >>> this password? > >>> > >>> Thank you! > >>> > >>> Chad > >>> > >>> > >>> > >>> > >>> > >>> On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen <h...@open.com.au> > wrote: > >>> On 02/15/2014 02:42 AM, Chad Roseburg wrote: > >>>> I have an evaluation version of Radiator 4.12.1. I need to set up a > web > >>>> captive portal on a Fortigate 60D that uses SIP2 authentication. > >>>> > >>>> The SIP2 part works ...tests successful: > >>> > >>> Hello Chad, > >>> > >>> radpwtst uses PAP with the options you have specified and sends > >>> User-Password which can be then used with AuthBy SIP2. > >>> > >>> However, it looks like the Fortigate is trying to do MS-CHAP instead of > >>> PAP. With MS-CHAP there is not password, only a challenge and response, > >>> and for this reason it does not work. > >>> > >>> Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP > is > >>> tried. There should be a MS-CHAP-Response too with the attributes, but > >>> maybe you have left that out. These two attributes are used by MS-CHAP. > >>> > >>> See if there's 'Authentication Scheme', I think this is the option in > >>> Fortigate, or something similar that has been set to MS-CHAP or > defaults > >>> to MS-CHAP. There should be an option to switch it to PAP. > >>> > >>> Please let us know if the above helps. > >>> > >>> Thanks, > >>> Heikki > >>> > >>> > >>>> Ex. > >>>> perl radpwtst -noacct -user 29030pretend -password secrets > >>>> sending Access-Request... > >>>> OK > >>>> > >>>> On RADIUS server I see: > >>>> ------------------------------------- > >>>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 > >>>> 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' > >>>> Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 > 00020140214 > >>>> 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' > >>>> Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : > 29030pretend > >>>> [29030pretend] > >>>> Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT > >>>> > >>>> But the second part is that I need to connect the fortigate to the > >>>> RADIUS server. I add the fortigate as a client in the config using IP > >>>> and a 'Secret' > >>>> > >>>> Here's some edited output when I test from the fortigate using the > same > >>>> creds: > >>>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 > >>>> 162344AONCRL|AA29030pretend|ACterminal password|AD|' > >>>> Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 > 00020140214 > >>>> 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' > >>>> Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad > password: > >>>> 29030002429839 [29030002429839] > >>>> Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad > password > >>>> > >>>> It looks like it's not sending the password. Also, at the top of the > >>>> transmission there's mention of a MS-CHAP-Challenge: > >>>> Attributes: > >>>> NAS-Identifier = "Fortinet_RTR" > >>>> MS-CHAP-Challenge = > >>>> b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M > >>>> Acct-Session-Id = "00000021" > >>>> Connect-Info = "test" > >>>> Fortinet-Vdom-Name = "root" > >>>> > >>>> This is the Client config: > >>>> <Client 192.x.x.99> > >>>> Secret secretspass > >>>> DupInterval 0 > >>>> </Client> > >>>> > >>>> Thanks for any advice! > >>>> > >>>> -- > >>>> Chad > >>>> > >>>> > >>>> _______________________________________________ > >>>> radiator mailing list > >>>> radiator@open.com.au > >>>> http://www.open.com.au/mailman/listinfo/radiator > >>>> > >>> > >>> > >>> -- > >>> Heikki Vatiainen <h...@open.com.au> > >>> > >>> Radiator: the most portable, flexible and configurable RADIUS server > >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > >>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > >>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > >>> NetWare etc. > >>> _______________________________________________ > >>> radiator mailing list > >>> radiator@open.com.au > >>> http://www.open.com.au/mailman/listinfo/radiator > >>> > >>> > >>> > >>> -- > >>> Chad Roseburg > >>> Automation Dept. > >>> North Central Regional Library > >>> _______________________________________________ > >>> radiator mailing list > >>> radiator@open.com.au > >>> http://www.open.com.au/mailman/listinfo/radiator > >> > >> > >> -- > >> > >> Hugh Irvine > >> h...@open.com.au > >> > >> Radiator: the most portable, flexible and configurable RADIUS server > >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > >> DIAMETER etc. > >> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > >> > >> > >> > >> > >> -- > >> Chad Roseburg > >> Automation Dept. > >> North Central Regional Library > > > > > > -- > > > > Hugh Irvine > > h...@open.com.au > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > > DIAMETER etc. > > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > > > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > -- Chad Roseburg Automation Dept. North Central Regional Library
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator