Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - Thanks for letting us know. regards Hugh On 26 Jul 2014, at 03:50, Christopher Chance wrote: > Removing the synchronous did in fact fix the problem for some reason! Thanks! > > Best regards, > > Chris Chance > Network Engineer - CaribServe > > Phone: +1 721 542-4233 > Email: ccha...@newtechgrp.com > > > -Original Message- > From: Hugh Irvine [mailto:h...@open.com.au] > Sent: Thursday, July 24, 2014 6:49 PM > To: Christopher Chance > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) > > > Hello Chris - > > The other difference between what I sent and what you are doing is your use > of Synchronous in the AuthBy RADIUS clause. > > In my suggestion I have removed it, and we think it is this that is causing > the problem for some reason. > >> >> # this proxies to the machine that can then proxy to OTHERSITE NPS # >> strongly suggest you don't use Synchronous >> >> >> >> StripFromRequest ConvertedFromEAPMSCHAPV2 >> Host 192.168.125.236 >> Secret x >> AuthPort 1812 >> AcctPort 1813 >> Retries 2 >> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >> Tunnel-Private-Group-ID=nn >> >> > > > > You might also want to upgrade to the latest Radiator 4.13. > > FYI - we had another site that was having problems with NTLM and it was > resolved by my suggestion to have Radiator proxy to NPS. > > hope that helps > > regards > > Hugh > > > > On 25 Jul 2014, at 04:23, Christopher Chance wrote: > >> Got to work and was looking at it and basically you're doing the same thing >> I am, thought the MYSITE radius isn't needed as theirs nothing wrong with >> the MYSITE NTLM it works fine.. >> >> As for the OTHERSITE ... that's exactly how it is now, except instead of >> Microsoft NPS the other side is a radiator that authenticates via NTLM on >> the secondary domain... >> >> The problem is when that second radiator responds this radiator with the >> Access-Accept, this radiator as you can see in the logs does a bunch of eap >> challenges but never builds the final access-accept from what I can see for >> the client wifi device... and the client device hangs. >> >> The logs I included the good one was Local NTLM auth that >> authenticates and sends the client an access-accept >> >> The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner >> request to the second radiator and getting the access accept from that >> radiator and then it does some eap challenges and just hangs. >> >> Don't really want to switch from linux-radiator to NPS as the ESX we're >> running this on is tight on resources currently for another windows vm, >> especially since its only basically standing in as a Radius-MSCHAPv2->NTLM >> proxy. >> >> >> -Original Message- >> From: Hugh Irvine [mailto:h...@open.com.au] >> Sent: Wednesday, July 23, 2014 9:43 PM >> To: Christopher Chance >> Cc: radiator@open.com.au >> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) >> >> >> Hello Chris - >> >> OK - this is what I had imagined. >> >> What I would suggest is running Microsoft NPS on each domain, then just >> proxy the inner requests to the corresponding NPS. >> >> In this case the inner requests are just straight MSCHAP-V2. >> >> Something like this: >> >> >> Foreground >> LogStdout >> LogDir /etc/radiator/log/ >> DbDir /etc/radiator >> PidFile %L/radiusd.pid >> DictionaryFile %D/dictionary, %D/dictionary.cambium, >> %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 >> >> >> Secret xxx >> Identifier Ruckus >> >> >> >> >> StripFromRequest ConvertedFromEAPMSCHAPV2 >> Host >> Secret >> AuthPort . >> AcctPort . >> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >> Tunnel-Private-Group-ID=52 >> >> >> >> >> >> StripFromRequest ConvertedFromEAPMSCHAPV2 >> Host . >> Secret >> AuthPort
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Removing the synchronous did in fact fix the problem for some reason! Thanks! Best regards, Chris Chance Network Engineer - CaribServe Phone: +1 721 542-4233 Email: ccha...@newtechgrp.com -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Thursday, July 24, 2014 6:49 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - The other difference between what I sent and what you are doing is your use of Synchronous in the AuthBy RADIUS clause. In my suggestion I have removed it, and we think it is this that is causing the problem for some reason. > > # this proxies to the machine that can then proxy to OTHERSITE NPS # > strongly suggest you don't use Synchronous > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host 192.168.125.236 >Secret x >AuthPort 1812 >AcctPort 1813 >Retries 2 >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=nn > > You might also want to upgrade to the latest Radiator 4.13. FYI - we had another site that was having problems with NTLM and it was resolved by my suggestion to have Radiator proxy to NPS. hope that helps regards Hugh On 25 Jul 2014, at 04:23, Christopher Chance wrote: > Got to work and was looking at it and basically you're doing the same thing I > am, thought the MYSITE radius isn't needed as theirs nothing wrong with the > MYSITE NTLM it works fine.. > > As for the OTHERSITE ... that's exactly how it is now, except instead of > Microsoft NPS the other side is a radiator that authenticates via NTLM on the > secondary domain... > > The problem is when that second radiator responds this radiator with the > Access-Accept, this radiator as you can see in the logs does a bunch of eap > challenges but never builds the final access-accept from what I can see for > the client wifi device... and the client device hangs. > > The logs I included the good one was Local NTLM auth that > authenticates and sends the client an access-accept > > The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request > to the second radiator and getting the access accept from that radiator and > then it does some eap challenges and just hangs. > > Don't really want to switch from linux-radiator to NPS as the ESX we're > running this on is tight on resources currently for another windows vm, > especially since its only basically standing in as a Radius-MSCHAPv2->NTLM > proxy. > > > -Original Message- > From: Hugh Irvine [mailto:h...@open.com.au] > Sent: Wednesday, July 23, 2014 9:43 PM > To: Christopher Chance > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) > > > Hello Chris - > > OK - this is what I had imagined. > > What I would suggest is running Microsoft NPS on each domain, then just proxy > the inner requests to the corresponding NPS. > > In this case the inner requests are just straight MSCHAP-V2. > > Something like this: > > > Foreground > LogStdout > LogDir /etc/radiator/log/ > DbDir /etc/radiator > PidFile %L/radiusd.pid > DictionaryFile %D/dictionary, %D/dictionary.cambium, > %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 > > >Secret xxx >Identifier Ruckus > > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host > Secret > AuthPort . > AcctPort . >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=52 > > > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host . > Secret > AuthPort . > AcctPort . >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=52 > > > > # this proxies to the machine that can then proxy to OTHERSITE NPS # > strongly suggest you don't use Synchronous > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host 192.168.125.236 >Secret x >AuthPort 1812 >AcctPort 1813 >Retries 2 >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=nn > > > > > >
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - The other difference between what I sent and what you are doing is your use of Synchronous in the AuthBy RADIUS clause. In my suggestion I have removed it, and we think it is this that is causing the problem for some reason. > > # this proxies to the machine that can then proxy to OTHERSITE NPS > # strongly suggest you don't use Synchronous > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host 192.168.125.236 >Secret x >AuthPort 1812 >AcctPort 1813 >Retries 2 >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=nn > > You might also want to upgrade to the latest Radiator 4.13. FYI - we had another site that was having problems with NTLM and it was resolved by my suggestion to have Radiator proxy to NPS. hope that helps regards Hugh On 25 Jul 2014, at 04:23, Christopher Chance wrote: > Got to work and was looking at it and basically you're doing the same thing I > am, thought the MYSITE radius isn't needed as theirs nothing wrong with the > MYSITE NTLM it works fine.. > > As for the OTHERSITE ... that's exactly how it is now, except instead of > Microsoft NPS the other side is a radiator that authenticates via NTLM on the > secondary domain... > > The problem is when that second radiator responds this radiator with the > Access-Accept, this radiator as you can see in the logs does a bunch of eap > challenges but never builds the final access-accept from what I can see for > the client wifi device... and the client device hangs. > > The logs I included the good one was Local NTLM auth that authenticates and > sends the client an access-accept > > The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request > to the second radiator and getting the access accept from that radiator and > then it does some eap challenges and just hangs. > > Don't really want to switch from linux-radiator to NPS as the ESX we're > running this on is tight on resources currently for another windows vm, > especially since its only basically standing in as a Radius-MSCHAPv2->NTLM > proxy. > > > -Original Message- > From: Hugh Irvine [mailto:h...@open.com.au] > Sent: Wednesday, July 23, 2014 9:43 PM > To: Christopher Chance > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) > > > Hello Chris - > > OK - this is what I had imagined. > > What I would suggest is running Microsoft NPS on each domain, then just proxy > the inner requests to the corresponding NPS. > > In this case the inner requests are just straight MSCHAP-V2. > > Something like this: > > > Foreground > LogStdout > LogDir /etc/radiator/log/ > DbDir /etc/radiator > PidFile %L/radiusd.pid > DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus > Trace 4 AuthPort 1812 AcctPort 1813 > > >Secret xxx >Identifier Ruckus > > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host > Secret > AuthPort . > AcctPort . >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=52 > > > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host . > Secret > AuthPort . > AcctPort . >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=52 > > > > # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly > suggest you don't use Synchronous > > > >StripFromRequest ConvertedFromEAPMSCHAPV2 >Host 192.168.125.236 >Secret x >AuthPort 1812 >AcctPort 1813 >Retries 2 >AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, > Tunnel-Private-Group-ID=nn > > > > > >EAPType MSCHAP-V2 >EAP_PEAP_MSCHAP_Convert 1 > > > > > > CachePasswordExpiry 3600 > Filename %D/users_anon > EAPType PEAP,TLS,TTLS > EAPTLS_PrivateKeyPassword whatever > EAPTLS_CAFile /etc/radiator/certs/ca.pem > EAPTLS_CertificateFile /etc/radiator/certs/server.pem > E
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Got to work and was looking at it and basically you're doing the same thing I am, thought the MYSITE radius isn't needed as theirs nothing wrong with the MYSITE NTLM it works fine.. As for the OTHERSITE ... that's exactly how it is now, except instead of Microsoft NPS the other side is a radiator that authenticates via NTLM on the secondary domain... The problem is when that second radiator responds this radiator with the Access-Accept, this radiator as you can see in the logs does a bunch of eap challenges but never builds the final access-accept from what I can see for the client wifi device... and the client device hangs. The logs I included the good one was Local NTLM auth that authenticates and sends the client an access-accept The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request to the second radiator and getting the access accept from that radiator and then it does some eap challenges and just hangs. Don't really want to switch from linux-radiator to NPS as the ESX we're running this on is tight on resources currently for another windows vm, especially since its only basically standing in as a Radius-MSCHAPv2->NTLM proxy. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Wednesday, July 23, 2014 9:43 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Secret xxx Identifier Ruckus StripFromRequest ConvertedFromEAPMSCHAPV2 Host Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 StripFromRequest ConvertedFromEAPMSCHAPV2 Host . Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 CachePasswordExpiry 3600 Filename %D/users_anon EAPType PEAP,TLS,TTLS EAPTLS_PrivateKeyPassword whatever EAPTLS_CAFile /etc/radiator/certs/ca.pem EAPTLS_CertificateFile /etc/radiator/certs/server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired UsernameMatchesWithoutRealm AutoMPPEKeys regards Hugh On 24 Jul 2014, at 11:08, Christopher Chance wrote: > 2 domains are on 2 seperate vlans... for authentication i'm filtering it by > the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM > locally, if the second domain forward to secondary radius that has an > interface on domain2 and is part of domain2's domain. > > This is being done so that my wireless in my office can accept both logins > and sort users to the correct vlan based on their credentials, if a user logs > in with Domain1\user then they get sent to Vlan 2 if they get on as > domain2\user they login to vlan3 for instance. > > we have an office with different companies but want to simplify our wireless > (atleast at the user level) so that it is 1 wireless network via wpa2 > enterprise (802.1x eaps)... hence how what i'm trying to do above. > > Originally i was going to have the main radius server just filter by domains > and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt > work with mschapv2 i had to go the ntlm way. > > And yes the linux version is what we're using as we plan to use the radius > for some other things too but windows was giving us some headaches, but thats > a diff
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
How does this differ from what I'm already doing The primary domains working the secondary domain is getting a response from the other radius after the second radius polls NTLM...it responds with an access accept but for some reason the main server gets the accept but then the eap challenge somehow doesnt work... Sent from my Windows Phone From: Hugh Irvine<mailto:h...@open.com.au> Sent: 7/23/2014 9:45 PM To: Christopher Chance<mailto:ccha...@newtechgrp.com> Cc: radiator@open.com.au<mailto:radiator@open.com.au> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Secret xxx Identifier Ruckus StripFromRequest ConvertedFromEAPMSCHAPV2 Host …. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 StripFromRequest ConvertedFromEAPMSCHAPV2 Host ….. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don’t use Synchronous StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 CachePasswordExpiry 3600 Filename %D/users_anon EAPType PEAP,TLS,TTLS EAPTLS_PrivateKeyPassword whatever EAPTLS_CAFile /etc/radiator/certs/ca.pem EAPTLS_CertificateFile /etc/radiator/certs/server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired UsernameMatchesWithoutRealm AutoMPPEKeys regards Hugh On 24 Jul 2014, at 11:08, Christopher Chance wrote: > 2 domains are on 2 seperate vlans... for authentication i'm filtering it by > the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM > locally, if the second domain forward to secondary radius that has an > interface on domain2 and is part of domain2's domain. > > This is being done so that my wireless in my office can accept both logins > and sort users to the correct vlan based on their credentials, if a user logs > in with Domain1\user then they get sent to Vlan 2 if they get on as > domain2\user they login to vlan3 for instance. > > we have an office with different companies but want to simplify our wireless > (atleast at the user level) so that it is 1 wireless network via wpa2 > enterprise (802.1x eaps)... hence how what i'm trying to do above. > > Originally i was going to have the main radius server just filter by domains > and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt > work with mschapv2 i had to go the ntlm way. > > And yes the linux version is what we're using as we plan to use the radius > for some other things too but windows was giving us some headaches, but thats > a different story for a different day. > > hope i've explained :S > > Chris > > From: Hugh Irvine [h...@open.com.au] > Sent: Wednesday, July 23, 2014 8:07 PM > To: Christopher Chance > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) > > Hello Chris - > > Could you please explain in detail what exactly you are trying to accomplish? > > It sounds like you are authenticating against Active Directory but you are > running Radiator on Linux? > > Can you tell us how you differentiate between the 2 domains? > > We can make better suggestions if we clearly understand the problem. > > regards > > Hugh > > > On 24 Jul 2014, at 03:30, Christopher Chance
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Secret xxx Identifier Ruckus StripFromRequest ConvertedFromEAPMSCHAPV2 Host …. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 StripFromRequest ConvertedFromEAPMSCHAPV2 Host ….. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don’t use Synchronous StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 CachePasswordExpiry 3600 Filename %D/users_anon EAPType PEAP,TLS,TTLS EAPTLS_PrivateKeyPassword whatever EAPTLS_CAFile /etc/radiator/certs/ca.pem EAPTLS_CertificateFile /etc/radiator/certs/server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired UsernameMatchesWithoutRealm AutoMPPEKeys regards Hugh On 24 Jul 2014, at 11:08, Christopher Chance wrote: > 2 domains are on 2 seperate vlans... for authentication i'm filtering it by > the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM > locally, if the second domain forward to secondary radius that has an > interface on domain2 and is part of domain2's domain. > > This is being done so that my wireless in my office can accept both logins > and sort users to the correct vlan based on their credentials, if a user logs > in with Domain1\user then they get sent to Vlan 2 if they get on as > domain2\user they login to vlan3 for instance. > > we have an office with different companies but want to simplify our wireless > (atleast at the user level) so that it is 1 wireless network via wpa2 > enterprise (802.1x eaps)... hence how what i'm trying to do above. > > Originally i was going to have the main radius server just filter by domains > and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt > work with mschapv2 i had to go the ntlm way. > > And yes the linux version is what we're using as we plan to use the radius > for some other things too but windows was giving us some headaches, but thats > a different story for a different day. > > hope i've explained :S > > Chris > > From: Hugh Irvine [h...@open.com.au] > Sent: Wednesday, July 23, 2014 8:07 PM > To: Christopher Chance > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) > > Hello Chris - > > Could you please explain in detail what exactly you are trying to accomplish? > > It sounds like you are authenticating against Active Directory but you are > running Radiator on Linux? > > Can you tell us how you differentiate between the 2 domains? > > We can make better suggestions if we clearly understand the problem. > > regards > > Hugh > > > On 24 Jul 2014, at 03:30, Christopher Chance wrote: > >> Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM >> authentication…. >> >> The issue is we have 2 domains on our network and want to be able to have >> the single 802.1x authentication, sorted by domain authenticate and return >> the correct vlan for the user... I couldn’t figure a way out to do it with >> LDAP2 as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever >> reason… So NTLM I went to, and it works but that meant I had to join the >> linux server to the domain, and only 1 domain per server. >> >>
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
2 domains are on 2 seperate vlans... for authentication i'm filtering it by the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM locally, if the second domain forward to secondary radius that has an interface on domain2 and is part of domain2's domain. This is being done so that my wireless in my office can accept both logins and sort users to the correct vlan based on their credentials, if a user logs in with Domain1\user then they get sent to Vlan 2 if they get on as domain2\user they login to vlan3 for instance. we have an office with different companies but want to simplify our wireless (atleast at the user level) so that it is 1 wireless network via wpa2 enterprise (802.1x eaps)... hence how what i'm trying to do above. Originally i was going to have the main radius server just filter by domains and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt work with mschapv2 i had to go the ntlm way. And yes the linux version is what we're using as we plan to use the radius for some other things too but windows was giving us some headaches, but thats a different story for a different day. hope i've explained :S Chris From: Hugh Irvine [h...@open.com.au] Sent: Wednesday, July 23, 2014 8:07 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - Could you please explain in detail what exactly you are trying to accomplish? It sounds like you are authenticating against Active Directory but you are running Radiator on Linux? Can you tell us how you differentiate between the 2 domains? We can make better suggestions if we clearly understand the problem. regards Hugh On 24 Jul 2014, at 03:30, Christopher Chance wrote: > Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM > authentication…. > > The issue is we have 2 domains on our network and want to be able to have the > single 802.1x authentication, sorted by domain authenticate and return the > correct vlan for the user... I couldn’t figure a way out to do it with LDAP2 > as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever reason… > So NTLM I went to, and it works but that meant I had to join the linux server > to the domain, and only 1 domain per server. > > To solve this I followed someone’s recommendation to have a second radius > server (vm), that’s on the other domain that just checks domains and the > first server will proxy the request to it… simple enough… > > The issue is it doesn’t work, the secondary radius sends the access-accept > but for some reason the main server doesn’t seem to handle the > challenge/accept process correctly anymore and the signin process just hangs > on the wireless… > > So now I’m 110% lost and don’t know what else could be the issue… > > If you can take a look at this and help me out it would be greatly > appreciated, as to where I’m going wrong. > > Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya > Login that’s hanging being processed from remote Radius: > http://pastebin.com/Lj3MCset > > Config is http://pastebin.com/UCr2vMdk > > Thanks, > Chris > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - Could you please explain in detail what exactly you are trying to accomplish? It sounds like you are authenticating against Active Directory but you are running Radiator on Linux? Can you tell us how you differentiate between the 2 domains? We can make better suggestions if we clearly understand the problem. regards Hugh On 24 Jul 2014, at 03:30, Christopher Chance wrote: > Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM > authentication…. > > The issue is we have 2 domains on our network and want to be able to have the > single 802.1x authentication, sorted by domain authenticate and return the > correct vlan for the user... I couldn’t figure a way out to do it with LDAP2 > as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever reason… > So NTLM I went to, and it works but that meant I had to join the linux server > to the domain, and only 1 domain per server. > > To solve this I followed someone’s recommendation to have a second radius > server (vm), that’s on the other domain that just checks domains and the > first server will proxy the request to it… simple enough… > > The issue is it doesn’t work, the secondary radius sends the access-accept > but for some reason the main server doesn’t seem to handle the > challenge/accept process correctly anymore and the signin process just hangs > on the wireless… > > So now I’m 110% lost and don’t know what else could be the issue… > > If you can take a look at this and help me out it would be greatly > appreciated, as to where I’m going wrong. > > Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya > Login that’s hanging being processed from remote Radius: > http://pastebin.com/Lj3MCset > > Config is http://pastebin.com/UCr2vMdk > > Thanks, > Chris > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM authentication The issue is we have 2 domains on our network and want to be able to have the single 802.1x authentication, sorted by domain authenticate and return the correct vlan for the user... I couldn't figure a way out to do it with LDAP2 as apparently LDAP2 doesn't like MSCHAPv2/PEAP only PAP for whatever reason... So NTLM I went to, and it works but that meant I had to join the linux server to the domain, and only 1 domain per server. To solve this I followed someone's recommendation to have a second radius server (vm), that's on the other domain that just checks domains and the first server will proxy the request to it... simple enough... The issue is it doesn't work, the secondary radius sends the access-accept but for some reason the main server doesn't seem to handle the challenge/accept process correctly anymore and the signin process just hangs on the wireless... So now I'm 110% lost and don't know what else could be the issue... If you can take a look at this and help me out it would be greatly appreciated, as to where I'm going wrong. Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya Login that's hanging being processed from remote Radius: http://pastebin.com/Lj3MCset Config is http://pastebin.com/UCr2vMdk Thanks, Chris ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
