[RADIATOR] Account log to MySQL
Goal: Capture successful logins as well as failures for stats purposes. I am setting up logging to a local MySQL instance. Here's what I've done: * Following instructions in the 'mysqlcreate.sql' file, I created the radius table and user(s). * Created the Mysql tables using the provided 'mysqlCreate.sql' in goodies. * Added the following stanza to my Handler just below the SIP Authby stanza: -- conf - Handler Handler AuthBy SIP2 Port 6001 Host siphost.com Delimiter | LoginUserID sipuser LoginPassword supersecret LocationCode Radiator SendChecksum no VerifyChecksum no NoDefault EAPType GTC /AuthBy AuthLog SQL DBSourcedbi:mysql:radius:localhost DBUsername radius DBAuth secrets LogSuccess SuccessQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 1) LogFailure FailureQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 0, %1) /AuthLog /Handler -- /conf --- I'm not seeing anything with: SELECT * FROM RADAUTHLOG; Is it just a quiet day or am I missing something? Last question is: does USERNAME refer to the client? Thank you! -- Chad Roseburg Automation Dept. North Central Regional Library ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SIP2 + Fortigate setup
You were correct, I did not set up the client stanzas correctly. I got rid of all client stanzas but the DEFAULT and used the secret with the fortigate SUCCESS! Thank you! Here is what I had: Client DEFAULT Secret different_secret DupInterval 0 /Client Client 192.168.20.99 Secret radius_secret DupInterval 0 /Client I commented out the second one. Why didn't the second stanza work? Thanks! Chad On Wed, Feb 19, 2014 at 5:49 PM, Hugh Irvine h...@open.com.au wrote: Hi again - Further to this, I am guessing the shared secret between the Fortigate and the Radiator Client clause is incorrect. regards Hugh On 20 Feb 2014, at 12:42, Hugh Irvine h...@open.com.au wrote: Hi Chad - Can you please send me a copy of your configuration file together with a trace 4 debug showing what is happening. Also please include your user definition. thanks and regards Hugh On 20 Feb 2014, at 11:26, Chad Roseburg croseb...@ncrl.org wrote: Thanks Hugh, but it is rejecting the password ...sample output: Wed Feb 19 14:18:04 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad passw Wed Feb 19 14:18:04 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad pa We're using SIP2 to authenticate clients. It does work with the radpwtst, but not fortigate. Suggestions? Chad On Wed, Feb 19, 2014 at 3:51 PM, Hugh Irvine h...@open.com.au wrote: Hello Chad - You don’t need to do anything special - Radiator will process the password automatically. If you are using a flat file for your user records you should add an entry like this: # flat file user definitions 29030pretend User-Password = gulash hope that helps regards Hugh On 20 Feb 2014, at 09:42, Chad Roseburg croseb...@ncrl.org wrote: Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest. Now it appears as though the fortigate is sending the password encrypted ...Ex: Test credentials: user: 29030pretend pass: gulash Server output excerpt: DEBUG: SIP2 send '2300020140219141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�' In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt this password? Thank you! Chad On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen h...@open.com.au wrote: On 02/15/2014 02:42 AM, Chad Roseburg wrote: I have an evaluation version of Radiator 4.12.1. I need to set up a web captive portal on a Fortigate 60D that uses SIP2 authentication. The SIP2 part works ...tests successful: Hello Chad, radpwtst uses PAP with the options you have specified and sends User-Password which can be then used with AuthBy SIP2. However, it looks like the Fortigate is trying to do MS-CHAP instead of PAP. With MS-CHAP there is not password, only a challenge and response, and for this reason it does not work. Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is tried. There should be a MS-CHAP-Response too with the attributes, but maybe you have left that out. These two attributes are used by MS-CHAP. See if there's 'Authentication Scheme', I think this is the option in Fortigate, or something similar that has been set to MS-CHAP or defaults to MS-CHAP. There should be an option to switch it to PAP. Please let us know if the above helps. Thanks, Heikki Ex. perl radpwtst -noacct -user 29030pretend -password secrets sending Access-Request... OK On RADIUS server I see: - Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend [29030pretend] Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT But the second part is that I need to connect the fortigate to the RADIUS server. I add the fortigate as a client in the config using IP and a 'Secret' Here's some edited output when I test from the fortigate using the same creds: Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 162344AONCRL|AA29030pretend|ACterminal password|AD|' Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: 29030002429839 [29030002429839] Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password It looks like it's not sending the password. Also, at the top of the transmission there's mention of a MS-CHAP-Challenge: Attributes: NAS-Identifier = Fortinet_RTR MS-CHAP-Challenge
Re: [RADIATOR] SIP2 + Fortigate setup
That is correct. I had an additional stanza for a router ...when I commented out all but the DEFAULT and used the DEFAULT secret, it worked. Thanks! Chad On Thu, Feb 20, 2014 at 4:45 AM, Sami Keski-Kasari sam...@open.com.auwrote: Hello Chad, In standard Radius protocol shared secret is used to encrypt User-Password field. Radiator will automatically decrypt User-Password with shared secret. I think that you should first check that you have same shared secret both in your client clause and in fortigate. If there is some password encryption options for password in fortigate, please try to disable them until you get authentication working. Best Regards, Sami On 02/20/2014 12:42 AM, Chad Roseburg wrote: Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest. Now it appears as though the fortigate is sending the password encrypted ...Ex: Test credentials: user: 29030pretend pass: gulash Server output excerpt: DEBUG: SIP2 send '2300020140219141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�' In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt this password? Thank you! Chad On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen h...@open.com.au wrote: On 02/15/2014 02:42 AM, Chad Roseburg wrote: I have an evaluation version of Radiator 4.12.1. I need to set up a web captive portal on a Fortigate 60D that uses SIP2 authentication. The SIP2 part works ...tests successful: Hello Chad, radpwtst uses PAP with the options you have specified and sends User-Password which can be then used with AuthBy SIP2. However, it looks like the Fortigate is trying to do MS-CHAP instead of PAP. With MS-CHAP there is not password, only a challenge and response, and for this reason it does not work. Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is tried. There should be a MS-CHAP-Response too with the attributes, but maybe you have left that out. These two attributes are used by MS-CHAP. See if there's 'Authentication Scheme', I think this is the option in Fortigate, or something similar that has been set to MS-CHAP or defaults to MS-CHAP. There should be an option to switch it to PAP. Please let us know if the above helps. Thanks, Heikki Ex. perl radpwtst -noacct -user 29030pretend -password secrets sending Access-Request... OK On RADIUS server I see: - Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend [29030pretend] Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT But the second part is that I need to connect the fortigate to the RADIUS server. I add the fortigate as a client in the config using IP and a 'Secret' Here's some edited output when I test from the fortigate using the same creds: Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 162344AONCRL|AA29030pretend|ACterminal password|AD|' Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: 29030002429839 [29030002429839] Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password It looks like it's not sending the password. Also, at the top of the transmission there's mention of a MS-CHAP-Challenge: Attributes: NAS-Identifier = Fortinet_RTR MS-CHAP-Challenge = b1372381464165145.9229163j129220M Acct-Session-Id = 0021 Connect-Info = test Fortinet-Vdom-Name = root This is the Client config: Client 192.x.x.99 Secret secretspass DupInterval 0 /Client Thanks for any advice! -- Chad ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SIP2 + Fortigate setup
Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest. Now it appears as though the fortigate is sending the password encrypted ...Ex: Test credentials: user: 29030pretend pass: gulash Server output excerpt: DEBUG: SIP2 send '2300020140219141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�' In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt this password? Thank you! Chad On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen h...@open.com.au wrote: On 02/15/2014 02:42 AM, Chad Roseburg wrote: I have an evaluation version of Radiator 4.12.1. I need to set up a web captive portal on a Fortigate 60D that uses SIP2 authentication. The SIP2 part works ...tests successful: Hello Chad, radpwtst uses PAP with the options you have specified and sends User-Password which can be then used with AuthBy SIP2. However, it looks like the Fortigate is trying to do MS-CHAP instead of PAP. With MS-CHAP there is not password, only a challenge and response, and for this reason it does not work. Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is tried. There should be a MS-CHAP-Response too with the attributes, but maybe you have left that out. These two attributes are used by MS-CHAP. See if there's 'Authentication Scheme', I think this is the option in Fortigate, or something similar that has been set to MS-CHAP or defaults to MS-CHAP. There should be an option to switch it to PAP. Please let us know if the above helps. Thanks, Heikki Ex. perl radpwtst -noacct -user 29030pretend -password secrets sending Access-Request... OK On RADIUS server I see: - Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend [29030pretend] Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT But the second part is that I need to connect the fortigate to the RADIUS server. I add the fortigate as a client in the config using IP and a 'Secret' Here's some edited output when I test from the fortigate using the same creds: Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 162344AONCRL|AA29030pretend|ACterminal password|AD|' Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: 29030002429839 [29030002429839] Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password It looks like it's not sending the password. Also, at the top of the transmission there's mention of a MS-CHAP-Challenge: Attributes: NAS-Identifier = Fortinet_RTR MS-CHAP-Challenge = b1372381464165145.9229163j129220M Acct-Session-Id = 0021 Connect-Info = test Fortinet-Vdom-Name = root This is the Client config: Client 192.x.x.99 Secret secretspass DupInterval 0 /Client Thanks for any advice! -- Chad ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Chad Roseburg Automation Dept. North Central Regional Library ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] SIP2 + Fortigate setup
I have an evaluation version of Radiator 4.12.1. I need to set up a web captive portal on a Fortigate 60D that uses SIP2 authentication. The SIP2 part works ...tests successful: Ex. perl radpwtst -noacct -user 29030pretend -password secrets sending Access-Request... OK On RADIUS server I see: - Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend [29030pretend] Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT But the second part is that I need to connect the fortigate to the RADIUS server. I add the fortigate as a client in the config using IP and a 'Secret' Here's some edited output when I test from the fortigate using the same creds: Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 162344AONCRL|AA29030pretend|ACterminal password|AD|' Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: 29030002429839 [29030002429839] Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password It looks like it's not sending the password. Also, at the top of the transmission there's mention of a MS-CHAP-Challenge: Attributes: NAS-Identifier = Fortinet_RTR MS-CHAP-Challenge = b1372381464165145.9229163j129220M Acct-Session-Id = 0021 Connect-Info = test Fortinet-Vdom-Name = root This is the Client config: Client 192.x.x.99 Secret secretspass DupInterval 0 /Client Thanks for any advice! -- Chad ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator