Re: [RADIATOR] Radiator on Linux using LDAP2, MS Active Directory, MSCHAP-V2

[Heikki Vatiainen]

On 10/15/2013 10:41 PM, Sevilla, Norman A wrote:

> The only function that we are unable to migrate successfully is 8021.x
> wireless authentication.  The Windows-based version used Authby LSA so
> the MSCHAP-V2 challenge worked successfully.  On the Linux-based system,
> Authby LDAP2 is finding my user account in AD but is failing with
> MSCHAP-V2 authentication failure.

Hello Norm,

the AD LDAP interface allows you to fetch a lot of information but it
does not expose the password or password hash. It appears to be
impossible to configure AD to do so. For MSCHAP-V2 you would need either
plain text password or NTHASH of password. Since neither are available
over LDAP from AD, this is why it fails.

> I’ve tried using the nt-hash
> conversion script in the goodies directory but I am not seeing
> ‘User-Password’ anywhere to be converted.  I’ve seen several threads
> stating that my best bet is to just stick to a Windows-based system but
> I’m hoping someone can help me figure out how to get this to work with
> on a Linux platform.

You would need to use AuthBy NTLM on Linux. This would provide you with
the authentication functionality.  If needed, you could then use AuthBy
LDAP2 for authorization (checking group memberships etc.).

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] possible bug when AcctTotalSinceQuery == Max-Daily-Session

[Heikki Vatiainen]

On 10/15/2013 05:47 PM, Francesc Romà i Frigolé wrote:

> When the total session time used for the day as given by the
> AcctTotalSinceQuery is exactly the same as Max-Daily-Session in the
> authentication request Radiator allows the user to log in. 
> 
> Only if the session time exceed the max daily session, even by just one
> second, will Radiator complain about max session exceeded.

I would need to see your configuration to say what happens exactly, but
most likely this can happen. If the amount of used seconds is 86400,
this does not *exceed* one day, yet.

> Is this the correct behaviour? I'd expect also to get a session exceeded
> error when AcctTotalSinceQuery == Max-Daily-Session.

I think it currently does work as documented ' ... If it is exceeded,
the user is rejected. ...' says the reference manual for Max-Daily-Session.

> This behaviour is causing  issues for us because Radiator is returning
> an authentication "accept" with a zero session time, which Mikrotik
> RouterOS hotspotl interprets as infinite session length, rather than a
> session exceeded error.

I can see that returning Session-Timeout of 0 with Access-Accept will
cause problems in your case. The RADIUS RFC is silent about 0 being a
special value, but it appears there are other implementations too which
consider 0 to mean inifinity.

> Is this a bug or there is something wrong with my settings?

Maybe this is a gray area? You could consider e.g., a PostAuthHook to
see if Session-Timeout is going to be 0 and then switch the result to
reject. Might even be a good time to reject sessions that have only a
few seconds left?

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator