Hello Chris - Thanks for letting us know.
regards Hugh On 26 Jul 2014, at 03:50, Christopher Chance <ccha...@newtechgrp.com> wrote: > Removing the synchronous did in fact fix the problem for some reason! Thanks! > > Best regards, > > Chris Chance > Network Engineer - CaribServe > > Phone: +1 721 542-4233 > Email: ccha...@newtechgrp.com > > > -----Original Message----- > From: Hugh Irvine [mailto:h...@open.com.au] > Sent: Thursday, July 24, 2014 6:49 PM > To: Christopher Chance > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) > > > Hello Chris - > > The other difference between what I sent and what you are doing is your use > of Synchronous in the AuthBy RADIUS clause. > > In my suggestion I have removed it, and we think it is this that is causing > the problem for some reason. > >> >> # this proxies to the machine that can then proxy to OTHERSITE NPS # >> strongly suggest you don't use Synchronous >> >> <Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/> >> <AuthBy RADIUS> >> StripFromRequest ConvertedFromEAPMSCHAPV2 >> Host 192.168.125.236 >> Secret xxxxxxxxx >> AuthPort 1812 >> AcctPort 1813 >> Retries 2 >> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >> Tunnel-Private-Group-ID=nn >> </AuthBy> >> </Handler> > > > > You might also want to upgrade to the latest Radiator 4.13. > > FYI - we had another site that was having problems with NTLM and it was > resolved by my suggestion to have Radiator proxy to NPS. > > hope that helps > > regards > > Hugh > > > > On 25 Jul 2014, at 04:23, Christopher Chance <ccha...@newtechgrp.com> wrote: > >> Got to work and was looking at it and basically you're doing the same thing >> I am, thought the MYSITE radius isn't needed as theirs nothing wrong with >> the MYSITE NTLM it works fine.. >> >> As for the OTHERSITE ... that's exactly how it is now, except instead of >> Microsoft NPS the other side is a radiator that authenticates via NTLM on >> the secondary domain... >> >> The problem is when that second radiator responds this radiator with the >> Access-Accept, this radiator as you can see in the logs does a bunch of eap >> challenges but never builds the final access-accept from what I can see for >> the client wifi device... and the client device hangs. >> >> The logs I included the good one was Local NTLM auth that >> authenticates and sends the client an access-accept >> >> The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner >> request to the second radiator and getting the access accept from that >> radiator and then it does some eap challenges and just hangs. >> >> Don't really want to switch from linux-radiator to NPS as the ESX we're >> running this on is tight on resources currently for another windows vm, >> especially since its only basically standing in as a Radius-MSCHAPv2->NTLM >> proxy. >> >> >> -----Original Message----- >> From: Hugh Irvine [mailto:h...@open.com.au] >> Sent: Wednesday, July 23, 2014 9:43 PM >> To: Christopher Chance >> Cc: radiator@open.com.au >> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) >> >> >> Hello Chris - >> >> OK - this is what I had imagined. >> >> What I would suggest is running Microsoft NPS on each domain, then just >> proxy the inner requests to the corresponding NPS. >> >> In this case the inner requests are just straight MSCHAP-V2. >> >> Something like this: >> >> >> Foreground >> LogStdout >> LogDir /etc/radiator/log/ >> DbDir /etc/radiator >> PidFile %L/radiusd.pid >> DictionaryFile %D/dictionary, %D/dictionary.cambium, >> %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 >> >> <Client 192.168.125.20> >> Secret xxxxxxxxxxx >> Identifier Ruckus >> </Client> >> >> <Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/> >> <AuthBy RADIUS> >> StripFromRequest ConvertedFromEAPMSCHAPV2 >> Host .... >> Secret .... >> AuthPort ..... >> AcctPort ..... >> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >> Tunnel-Private-Group-ID=52 >> </AuthBy> >> </Handler> >> >> <Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/> >> <AuthBy RADIUS> >> StripFromRequest ConvertedFromEAPMSCHAPV2 >> Host ..... >> Secret .... >> AuthPort ..... >> AcctPort ..... >> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >> Tunnel-Private-Group-ID=52 >> </AuthBy> >> </Handler> >> >> # this proxies to the machine that can then proxy to OTHERSITE NPS # >> strongly suggest you don't use Synchronous >> >> <Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/> >> <AuthBy RADIUS> >> StripFromRequest ConvertedFromEAPMSCHAPV2 >> Host 192.168.125.236 >> Secret xxxxxxxxx >> AuthPort 1812 >> AcctPort 1813 >> Retries 2 >> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >> Tunnel-Private-Group-ID=nn >> </AuthBy> >> </Handler> >> >> <Handler TunnelledByPEAP=1> >> <AuthBy FILE> >> EAPType MSCHAP-V2 >> EAP_PEAP_MSCHAP_Convert 1 >> </AuthBy> >> </Handler> >> >> <Handler Client-Identifier = Ruckus> >> <AuthBy FILE> >> CachePasswordExpiry 3600 >> Filename %D/users_anon >> EAPType PEAP,TLS,TTLS >> EAPTLS_PrivateKeyPassword whatever >> EAPTLS_CAFile /etc/radiator/certs/ca.pem >> EAPTLS_CertificateFile /etc/radiator/certs/server.pem >> EAPTLS_CertificateType PEM >> EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem >> EAPTLS_PEAPVersion 0 >> EAPTTLS_NoAckRequired >> UsernameMatchesWithoutRealm >> AutoMPPEKeys >> </AuthBy> >> </Handler> >> >> >> regards >> >> Hugh >> >> >> On 24 Jul 2014, at 11:08, Christopher Chance <ccha...@newtechgrp.com> wrote: >> >>> 2 domains are on 2 seperate vlans... for authentication i'm filtering it by >>> the handler Domain1\myuser Domain2\myuser if domain1 then process it via >>> NTLM locally, if the second domain forward to secondary radius that has an >>> interface on domain2 and is part of domain2's domain. >>> >>> This is being done so that my wireless in my office can accept both logins >>> and sort users to the correct vlan based on their credentials, if a user >>> logs in with Domain1\user then they get sent to Vlan 2 if they get on as >>> domain2\user they login to vlan3 for instance. >>> >>> we have an office with different companies but want to simplify our >>> wireless (atleast at the user level) so that it is 1 wireless network via >>> wpa2 enterprise (802.1x eaps)... hence how what i'm trying to do above. >>> >>> Originally i was going to have the main radius server just filter by >>> domains and send an ldap2 request to domain1 or domain2's DC but since >>> ldap2 doesnt work with mschapv2 i had to go the ntlm way. >>> >>> And yes the linux version is what we're using as we plan to use the radius >>> for some other things too but windows was giving us some headaches, but >>> thats a different story for a different day. >>> >>> hope i've explained :S >>> >>> Chris >>> ________________________________________ >>> From: Hugh Irvine [h...@open.com.au] >>> Sent: Wednesday, July 23, 2014 8:07 PM >>> To: Christopher Chance >>> Cc: radiator@open.com.au >>> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) >>> >>> Hello Chris - >>> >>> Could you please explain in detail what exactly you are trying to >>> accomplish? >>> >>> It sounds like you are authenticating against Active Directory but you are >>> running Radiator on Linux? >>> >>> Can you tell us how you differentiate between the 2 domains? >>> >>> We can make better suggestions if we clearly understand the problem. >>> >>> regards >>> >>> Hugh >>> >>> >>> On 24 Jul 2014, at 03:30, Christopher Chance <ccha...@newtechgrp.com> wrote: >>> >>>> Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM >>>> authentication.... >>>> >>>> The issue is we have 2 domains on our network and want to be able to have >>>> the single 802.1x authentication, sorted by domain authenticate and return >>>> the correct vlan for the user... I couldn't figure a way out to do it with >>>> LDAP2 as apparently LDAP2 doesn't like MSCHAPv2/PEAP only PAP for whatever >>>> reason... So NTLM I went to, and it works but that meant I had to join the >>>> linux server to the domain, and only 1 domain per server. >>>> >>>> To solve this I followed someone's recommendation to have a second >>>> radius server (vm), that's on the other domain that just checks >>>> domains and the first server will proxy the request to it... simple >>>> enough... >>>> >>>> The issue is it doesn't work, the secondary radius sends the >>>> access-accept but for some reason the main server doesn't seem to >>>> handle the challenge/accept process correctly anymore and the signin >>>> process just hangs on the wireless... >>>> >>>> So now I'm 110% lost and don't know what else could be the issue... >>>> >>>> If you can take a look at this and help me out it would be greatly >>>> appreciated, as to where I'm going wrong. >>>> >>>> Good login with primary server doing NTLM: >>>> http://pastebin.com/Vimm88Ya Login that's hanging being processed >>>> from remote Radius: http://pastebin.com/Lj3MCset >>>> >>>> Config is http://pastebin.com/UCr2vMdk >>>> >>>> Thanks, >>>> Chris >>>> _______________________________________________ >>>> radiator mailing list >>>> radiator@open.com.au >>>> http://www.open.com.au/mailman/listinfo/radiator >>> >>> >>> -- >>> >>> Hugh Irvine >>> h...@open.com.au >>> >>> Radiator: the most portable, flexible and configurable RADIUS server >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, >>> TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>> DIAMETER, SIM, etc. >>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. >>> >>> >> >> >> -- >> >> Hugh Irvine >> h...@open.com.au >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, >> SIM, etc. >> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. >> >> > > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. > > -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
