Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

2014-07-25 Thread Hugh Irvine 

Hello Chris -

Thanks for letting us know.

regards

Hugh


On 26 Jul 2014, at 03:50, Christopher Chance  wrote:

> Removing the synchronous did in fact fix the problem for some reason! Thanks!
> 
> Best regards,
>  
> Chris Chance
> Network Engineer - CaribServe
> 
> Phone: +1 721 542-4233
> Email:   ccha...@newtechgrp.com
> 
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: Thursday, July 24, 2014 6:49 PM
> To: Christopher Chance
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
> 
> 
> Hello Chris -
> 
> The other difference between what I sent and what you are doing is your use 
> of Synchronous in the AuthBy RADIUS clause.
> 
> In my suggestion I have removed it, and we think it is this that is causing 
> the problem for some reason.
> 
>> 
>> # this proxies to the machine that can then proxy to OTHERSITE NPS # 
>> strongly suggest you don't use Synchronous
>> 
>> 
>>   
>>   StripFromRequest ConvertedFromEAPMSCHAPV2
>>   Host 192.168.125.236
>>   Secret x
>>   AuthPort 1812
>>   AcctPort 1813
>>   Retries 2
>>   AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
>> Tunnel-Private-Group-ID=nn
>>   
>> 
> 
> 
> 
> You might also want to upgrade to the latest Radiator 4.13.
> 
> FYI - we had another site that was having problems with NTLM and it was 
> resolved by my suggestion to have Radiator proxy to NPS.
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> 
> On 25 Jul 2014, at 04:23, Christopher Chance  wrote:
> 
>> Got to work and was looking at it and basically you're doing the same thing 
>> I am, thought the MYSITE radius isn't needed as theirs nothing wrong with 
>> the MYSITE NTLM it works fine..
>> 
>> As for the OTHERSITE ... that's exactly how it is now, except instead of 
>> Microsoft NPS the other side is a radiator that authenticates via NTLM on 
>> the secondary domain...
>> 
>> The problem is when that second radiator responds this radiator with the 
>> Access-Accept, this radiator as you can see in the logs does a bunch of eap 
>> challenges but never builds the final access-accept from what I can see for 
>> the client wifi device... and the client device hangs.
>> 
>> The logs I included the good one was Local NTLM auth that 
>> authenticates and sends the client an access-accept
>> 
>> The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner 
>> request to the second radiator and getting the access accept from that 
>> radiator and then it does some eap challenges and just hangs.
>> 
>> Don't really want to switch from linux-radiator to NPS as the ESX we're 
>> running this on is tight on resources currently for another windows vm, 
>> especially since its only basically standing in as a Radius-MSCHAPv2->NTLM 
>> proxy.
>> 
>> 
>> -Original Message-
>> From: Hugh Irvine [mailto:h...@open.com.au]
>> Sent: Wednesday, July 23, 2014 9:43 PM
>> To: Christopher Chance
>> Cc: radiator@open.com.au
>> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
>> 
>> 
>> Hello Chris -
>> 
>> OK - this is what I had imagined.
>> 
>> What I would suggest is running Microsoft NPS on each domain, then just 
>> proxy the inner requests to the corresponding NPS.
>> 
>> In this case the inner requests are just straight MSCHAP-V2.
>> 
>> Something like this:
>> 
>> 
>> Foreground
>> LogStdout
>> LogDir /etc/radiator/log/
>> DbDir /etc/radiator
>> PidFile %L/radiusd.pid
>> DictionaryFile %D/dictionary, %D/dictionary.cambium, 
>> %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813
>> 
>> 
>>   Secret xxx
>>   Identifier Ruckus
>> 
>> 
>> 
>>   
>>   StripFromRequest ConvertedFromEAPMSCHAPV2
>>   Host 
>>  Secret 
>>  AuthPort .
>>  AcctPort .
>>   AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
>> Tunnel-Private-Group-ID=52
>>   
>> 
>> 
>> 
>>   
>>   StripFromRequest ConvertedFromEAPMSCHAPV2
>>   Host .
>>  Secret 
>>  AuthPort .
>>  AcctPort .
>>   AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
>> Tunnel-Private-Group-ID=52
>>   
>> 
>> 
>> # this proxies to the machine that can then proxy to OTHERSITE NPS # 
>> strongly suggest you don't use Synchronous
>> 
>> 
>>   
>>   StripFromRequest ConvertedFromEAPMSCHAPV2
>>   Host 192.168.125.236
>>   Secret x
>>   AuthPort 1812
>>   AcctPort 1813
>>   Retries 2
>>   AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
>> Tunnel-Private-Group-ID=nn
>>   
>> 
>> 
>> 
>>   
>>   EAPType MSCHAP-V2
>>   EAP_PEAP_MSCHAP_Convert 1
>>   
>> 
>> 
>> 
>>   
>> CachePasswordExpir

Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

2014-07-25 Thread Christopher Chance 
Removing the synchronous did in fact fix the problem for some reason! Thanks!

Best regards,
 
Chris Chance
Network Engineer - CaribServe

Phone: +1 721 542-4233
Email:   ccha...@newtechgrp.com


-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au] 
Sent: Thursday, July 24, 2014 6:49 PM
To: Christopher Chance
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)


Hello Chris -

The other difference between what I sent and what you are doing is your use of 
Synchronous in the AuthBy RADIUS clause.

In my suggestion I have removed it, and we think it is this that is causing the 
problem for some reason.

> 
> # this proxies to the machine that can then proxy to OTHERSITE NPS # 
> strongly suggest you don't use Synchronous
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host 192.168.125.236
>Secret x
>AuthPort 1812
>AcctPort 1813
>Retries 2
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=nn
>
> 



You might also want to upgrade to the latest Radiator 4.13.

FYI - we had another site that was having problems with NTLM and it was 
resolved by my suggestion to have Radiator proxy to NPS.

hope that helps

regards

Hugh



On 25 Jul 2014, at 04:23, Christopher Chance  wrote:

> Got to work and was looking at it and basically you're doing the same thing I 
> am, thought the MYSITE radius isn't needed as theirs nothing wrong with the 
> MYSITE NTLM it works fine..
> 
> As for the OTHERSITE ... that's exactly how it is now, except instead of 
> Microsoft NPS the other side is a radiator that authenticates via NTLM on the 
> secondary domain...
> 
> The problem is when that second radiator responds this radiator with the 
> Access-Accept, this radiator as you can see in the logs does a bunch of eap 
> challenges but never builds the final access-accept from what I can see for 
> the client wifi device... and the client device hangs.
> 
> The logs I included the good one was Local NTLM auth that 
> authenticates and sends the client an access-accept
> 
> The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request 
> to the second radiator and getting the access accept from that radiator and 
> then it does some eap challenges and just hangs.
> 
> Don't really want to switch from linux-radiator to NPS as the ESX we're 
> running this on is tight on resources currently for another windows vm, 
> especially since its only basically standing in as a Radius-MSCHAPv2->NTLM 
> proxy.
> 
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au]
> Sent: Wednesday, July 23, 2014 9:43 PM
> To: Christopher Chance
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
> 
> 
> Hello Chris -
> 
> OK - this is what I had imagined.
> 
> What I would suggest is running Microsoft NPS on each domain, then just proxy 
> the inner requests to the corresponding NPS.
> 
> In this case the inner requests are just straight MSCHAP-V2.
> 
> Something like this:
> 
> 
> Foreground
> LogStdout
> LogDir /etc/radiator/log/
> DbDir /etc/radiator
> PidFile %L/radiusd.pid
> DictionaryFile %D/dictionary, %D/dictionary.cambium, 
> %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813
> 
> 
>Secret xxx
>Identifier Ruckus
> 
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host 
>   Secret 
>   AuthPort .
>   AcctPort .
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=52
>
> 
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host .
>   Secret 
>   AuthPort .
>   AcctPort .
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=52
>
> 
> 
> # this proxies to the machine that can then proxy to OTHERSITE NPS # 
> strongly suggest you don't use Synchronous
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host 192.168.125.236
>Secret x
>AuthPort 1812
>AcctPort 1813
>Retries 2
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=nn
>
> 
> 
> 
>
>EAPType MSCHAP-V2
>EAP_PEAP_MSCHAP_Convert 1
>
> 
> 
> 
>
>  CachePasswordExpiry 3600
>  Filename %D/users_anon
>  EAPType PEAP,TLS,TTLS
>  EAPTLS_PrivateKeyPassword whatever
>  EAPTLS_CAFile /etc/radiator/certs/ca.pem
>  EAPTLS_CertificateFile /etc/radiator/certs/server.pem
>  EAPTLS_Certifica