On 02/15/2014 02:42 AM, Chad Roseburg wrote: > I have an evaluation version of Radiator 4.12.1. I need to set up a web > captive portal on a Fortigate 60D that uses SIP2 authentication. > > The SIP2 part works ...tests successful:
Hello Chad, radpwtst uses PAP with the options you have specified and sends User-Password which can be then used with AuthBy SIP2. However, it looks like the Fortigate is trying to do MS-CHAP instead of PAP. With MS-CHAP there is not password, only a challenge and response, and for this reason it does not work. Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is tried. There should be a MS-CHAP-Response too with the attributes, but maybe you have left that out. These two attributes are used by MS-CHAP. See if there's 'Authentication Scheme', I think this is the option in Fortigate, or something similar that has been set to MS-CHAP or defaults to MS-CHAP. There should be an option to switch it to PAP. Please let us know if the above helps. Thanks, Heikki > Ex. > perl radpwtst -noacct -user 29030pretend -password secrets > sending Access-Request... > OK > > On RADIUS server I see: > ------------------------------------- > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 > 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 > 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' > Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend > [29030pretend] > Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT > > But the second part is that I need to connect the fortigate to the > RADIUS server. I add the fortigate as a client in the config using IP > and a 'Secret' > > Here's some edited output when I test from the fortigate using the same > creds: > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 > 162344AONCRL|AA29030pretend|ACterminal password|AD|' > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 > 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' > Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: > 29030002429839 [29030002429839] > Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password > > It looks like it's not sending the password. Also, at the top of the > transmission there's mention of a MS-CHAP-Challenge: > Attributes: > NAS-Identifier = "Fortinet_RTR" > MS-CHAP-Challenge = > b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M > Acct-Session-Id = "00000021" > Connect-Info = "test" > Fortinet-Vdom-Name = "root" > > This is the Client config: > <Client 192.x.x.99> > Secret secretspass > DupInterval 0 > </Client> > > Thanks for any advice! > > -- > Chad > > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
