PDA

Bekijk de volledige versie : Chance for RADIUS Server on the router itself!



Dante_
10-11-2004, 14:05
There is a firmware for WRT54G avaliable online wich includes a RADIUS server...
http://www.tinypeap.com/
Oleg.. Check this out please...

Oleg
10-11-2004, 14:31
I have not found download link for the sources...

Antiloop
10-11-2004, 14:43
seems to be integrated in sveasuxt firmware

and perhaps sveasoft is not interrested in publishing GPL tarball of their firmware, because they(he) don't give a shit about GPL

jbrbv
10-11-2004, 22:03
seems to be integrated in sveasuxt firmware

and perhaps sveasoft is not interrested in publishing GPL tarball of their firmware, because they(he) don't give a shit about GPL

From the TinyPeap web page:
"tinyPEAP itself is not really the firmware since it can be added to any firmware, but a very small RADIUS server."
There is also a win32 binary.

Styno
11-11-2004, 08:54
Binaries are unuseful, as WL500gan embedded environment which tend to have their own binary format (libc/ulib versions etc.). The biggest chance on getting this to work on WL-500g is to get the source code and compile it yourself.

Antiloop
11-11-2004, 09:50
Binaries are unuseful, as WL500gan embedded environment which tend to have their own binary format (libc/ulib versions etc.). The biggest chance on getting this to work on WL-500g is to get the source code and compile it yourself.
idd..

and I haven't seen Windows CE on my wl500g :D
to run the win32 binary....

jbrbv
16-11-2004, 22:54
idd..

and I haven't seen Windows CE on my wl500g :D
to run the win32 binary....
Does a win32 binary runs on WindowsCE?

Have you tried Tiny peap?

Antiloop
17-11-2004, 00:32
Does a win32 binary runs on WindowsCE?

Have you tried Tiny peap?

no / no sources are available..
and it seems i'm not the only one who can't find it ?

Dante_
17-11-2004, 00:50
what abou trying freeRadius?

FreeRADIUS is the premiere open source RADIUS server. While detailed statistics are not available, we believe that FreeRADIUS is well within the top 5 RADIUS servers world-wide, in terms of the number of people who use it daily for authentication. It scales from embedded systems with small amounts of memory , to systems with millions of users. It is fast, flexible, configurable, and supports more authentication protocols than many commercial servers.

The server is released under the GNU General Public License (GPL)...

Styno
17-11-2004, 08:38
Damn you sound like some commercial guy :D

But anyway, you can try to compile freeRADIUS in order to get it to work on WL-500g. Do some tests (like number of users and memory usage). There have been other topics about authentication where ppl could've used a RADIUS server. So there's certainly a 'market' for this.

Antiloop
17-11-2004, 09:46
what abou trying freeRadius?

FreeRADIUS is the premiere open source RADIUS server. While detailed statistics are not available, we believe that FreeRADIUS is well within the top 5 RADIUS servers world-wide, in terms of the number of people who use it daily for authentication. It scales from embedded systems with small amounts of memory , to systems with millions of users. It is fast, flexible, configurable, and supports more authentication protocols than many commercial servers.

The server is released under the GNU General Public License (GPL)...
agree with styno.. ;)

anyway have any links? (lazy to google..)

Oleg
17-11-2004, 09:48
openwrt guys are trying to make it running.

hugo
17-11-2004, 15:01
If it can be of any help, I have the binary from the wrt54g firmware. I know it might run under some circonstance, so I leave this to those who wants to try it.

The tar file is non standard, and needs something better than the standard tar from wl 500 (I used winzip)

MrMagu
15-02-2005, 09:40
Any news regarding this?

tomilius
25-02-2005, 22:58
I'm extremely interested in this as well.


[thews@AsusRouter /tmp]$ peapd
Usage: peapd command [command_options...]
where command is one of:
run (runs the server) followed by:
-D (optional - runs the server as a daemon)
-I <address> (optional - binds the server to a specific
interface address
-E (optional - embedded mode)
only allows packets from self
*must* be used with -I
adduser (adds a user) followed by:
<username> (fill in the username here)
<password> (optional - fill in the password here)
passwd (edit user's password -- synonymous with 'adduser')
(see adduser, above)
if not provided, will prompt for password
deluser (deletes a user) followed by:
<username> (optional - fill in user to delete)
[thews@AsusRouter /tmp]$ peapd adduser Tommy
Enter new password:
Error opening /etc/peapd/peapd.conf
Assuming db is stored in nvram...
Error opening /etc/peapd/peapd.conf for writing
error reading config file /etc/peapd/peapd.conf
Error opening /tmp/peap_users
Assuming db is stored in nvram...
Segmentation fault
[thews@AsusRouter /tmp]$

OK.. well... looks like it COULD work. To get it to do that much on 1.9.2.7-3b I put libssl.so in /usr/local/lib (not a good idea since it won't fit in flash) and ran the following:


export LD_LIBRARY_PATH
LD_LIBRARY_PATH=/usr/local/lib

As far as I know it works. I mean, it RUNs as a server, or appears to, but I'm not sure how to test that. The configuration options just don't work. A new utility would have to be made for controlling those (that's what the web interface is for).

tomilius
28-02-2005, 22:40
BUMP... why is it that nobody is interested in this? It may well work without the sources, it's just that the user manipulation is dead. I can't test it because I don't have a USB filesystem but it seemed to run in "run" mode.

tomilius
23-03-2005, 06:47
BUMP... Well, after more extensive testing I got a segmentation fault at the authorization request of my Pocket PC. :( But... if this router could get a RADIUS server it would make it so secure and neat. I don't know why people don't agree :'(

Pirat
23-03-2005, 08:25
I'm interesstet in!

silver71
23-03-2005, 12:08
http://www.lausch.at/radius.html

could it help ?

silver

xopr
23-03-2005, 15:03
It is quite difficult to find descent information for the TinyPEAP server, but with the windows binaries (http://www.tinypeap.com/bin/peapd-beta1.zip), complete configuration files and windows readme (http://www.tinypeap.com/page5.html) , I managed the following:
I ran peapd adduser xopr mypass in windows, and it wil add a line to peapusers.

I put all the files (peapusers, waKey.pem, waCert.pem) in the same folder on a flash disk, except the peapd.conf file, which has to be in the /etc/peapd/ dir. (which hasn't been made yet)
with VI I remove the blank lines and linefeeds (^M)

When everything is in place, I start the server, and try to connect wireless.
Console responds with:
Listening on 0.0.0.0, UDP port 1812
After a few packet exchanges, I get the username/password dialog.
After entering the correct data, I get:


---Received Packet---
Packet Size: 121
Code: 1
Ident: 0
Length: 121

Segmentation fault

So the segmentation problem is everywhere, and therefore doesn't run correctly.


Also, I had to enter a wep key in the web interface, otherwise my ssid disappears completely

Oleg
23-03-2005, 16:09
Try contacting author directly and ask him if he is willing to provide package for inclusion to the firmware. Also ask for prerequisites, such as libraries, etc.
Using binary extracted from the firmware is not legal, unless license agreement allows that.

hugo
23-03-2005, 16:28
Binary are not exctracted from firmware, they come directly from the author who send them to me.

tomilius
23-03-2005, 22:22
Yep, that segmentation fault is what I was talking about. I did exactly what you did, xopr. I contacted the e-mail address on the site yesterday and asked in the simplest way possible if they could please either release the source or a wl-500g version. No reply yet.

Either way, has anybody with a USB stick gotten free-radius to work on the router? I saw the ipk for it... It'd be nice if there was some way to shrink it down or maybe take the essential pieces from the source and fit them into the firmware for those of us too cheap/lazy to buy a USB flash device...

tomilius
23-03-2005, 22:48
OK, I'm sort of a newbie when it comes to this stuff but does this look like it would be of any use? Source code is available... pardon me if this will not work.

http://hostap.epitest.fi/hostapd/


hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator

hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. The current version supports Linux (Host AP, madwifi, Prism54 drivers) and FreeBSD (net80211).

hostapd is designed to be a "daemon" program that runs in the background and acts as the backend component controlling authentication. hostapd supports separate frontend programs and an example text-based frontend, hostapd_cli, is included with hostapd.
Supported WPA/IEEE 802.11i/EAP/IEEE 802.1X features

* WPA-PSK ("WPA-Personal")
* WPA with EAP (with integrated EAP authenticator or an external RADIUS authentication server) ("WPA-Enterprise")
* key management for CCMP, TKIP, WEP104, WEP40
* WPA and full IEEE 802.11i/RSN/WPA2
* RSN: PMKSA caching, pre-authentication
* RADIUS accounting
* RADIUS authentication server with EAP

Supported EAP methods (integrated EAP authenticator and RADIUS authentication server)

* EAP-TLS
* EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
* EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
* EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
* EAP-TTLS/EAP-MD5-Challenge
* EAP-TTLS/EAP-GTC
* EAP-TTLS/EAP-MSCHAPv2
* EAP-TTLS/MSCHAPv2
* EAP-TTLS/MSCHAP
* EAP-TTLS/PAP
* EAP-TTLS/CHAP
* EAP-SIM

Following methods are also supported, but since they do not generate keying material, they cannot be used with WPA or IEEE 802.1X WEP keying.

* EAP-MD5-Challenge
* EAP-MSCHAPv2
* EAP-GTC

Supported wireless cards/drivers

* Host AP driver for Prism2/2.5/3
* madwifi (Atheros ar521x)
* Prism54.org (Prism GT/Duette/Indigo)
* BSD net80211 layer (e.g., Atheros driver) (FreeBSD 6-CURRENT)

Oleg
24-03-2005, 08:39
Could someone give me a contact e-mail?
This binary also requires libcrypto.so, which is most likely the library made by broadcom. It's stripped in the wl500g builds, that's why it could segfault at some point.
I will then try to negotiate the things with author.

garimo
24-03-2005, 08:45
Either way, has anybody with a USB stick gotten free-radius to work on the router? I saw the ipk for it... It'd be nice if there was some way to shrink it down or maybe take the essential pieces from the source and fit them into the firmware for those of us too cheap/lazy to buy a USB flash device...

Thanks to Oleg it seems to me that freeradius is working out of the box.


radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/etc/raddb/proxy.conf
Config: including file: /opt/etc/raddb/clients.conf
Config: including file: /opt/etc/raddb/snmp.conf
Config: including file: /opt/etc/raddb/eap.conf
Config: including file: /opt/etc/raddb/sql.conf
main: prefix = "/opt"
main: localstatedir = "/opt/var"
main: logdir = "/opt/var/spool/radius/log"
main: libdir = "/opt/lib"
main: radacctdir = "/opt/var/spool/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/opt/var/spool/radius/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd.pid"
main: bind_address = 192.168.1.1 IP address [192.168.1.1]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/opt/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/opt/var/spool/radius/log/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/opt/etc/raddb/huntgroups"
preprocess: hints = "/opt/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/opt/etc/raddb/users"
files: acctusersfile = "/opt/etc/raddb/acct_users"
files: preproxy_usersfile = "/opt/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/opt/var/spool/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/opt/var/spool/radius/log/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.1.1:1812
Listening on accounting 192.168.1.1:1813
Listening on proxy 192.168.1.1:1814
Ready to process requests.

This is WL-500g running latest Oleg Firmware 1.2.9.7CR4 with ipkg installed

tomilius
24-03-2005, 13:44
Ah, that's very good, though I hope it won't discourage attempts to get a smaller version running (free-radius is pretty hefty--won't even fit in ramfs without causing my router to reboot).

hugo
24-03-2005, 14:52
Could someone give me a contact e-mail?
This binary also requires libcrypto.so, which is most likely the library made by broadcom. It's stripped in the wl500g builds, that's why it could segfault at some point.
I will then try to negotiate the things with author.
I got all my binary from Takehiro at tinypeap@yahoo.com. He is responsive, but I don't know if he want's to share the source.

Oleg
24-03-2005, 17:21
I've sent him an email. Let's wait for the reply. :)

tomilius
31-03-2005, 00:52
My pen drive came in and I set it all up and I'm now trying to get freeradius working... I'm using a guide to set up PEAP and MSCHAPv2.

/opt/sbin/radiusd: can't load library 'libltdl.so.3'

Ah. libtool.

Alright, alright. I'll update when I get a clue.

tomilius
31-03-2005, 08:53
OK. Well, I figured it out mostly. My latest issue was that it would not notice or log authentication attempts at all (it wasn't getting them). I assume I did some SSL certificate stuff incorrectly. What a total pain. I didn't know XP SP2 supported no automatic authentication without a certificate. Ridiculous. I'm happier with a secure password...

Or an easier way like tinypeap and a simple XP client :-D

tomilius
01-04-2005, 00:43
Well, I've been unable to give up. I actually got PEAP fully working about twice, but it was extremely difficult to do so. For the majority of the time, the requests never even get through to freeradius.

[admin@AsusRouter root]$ radiusd -y -z -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/etc/raddb/proxy.conf
Config: including file: /opt/etc/raddb/clients.conf
Config: including file: /opt/etc/raddb/snmp.conf
Config: including file: /opt/etc/raddb/eap.conf
Config: including file: /opt/etc/raddb/sql.conf
main: prefix = "/opt"
main: localstatedir = "/opt/var"
main: logdir = "/var/spool/radius/log"
main: libdir = "/opt/lib"
main: radacctdir = "/var/spool/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/spool/radius/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/opt/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/spool/radius/log/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/opt/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/opt/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/opt/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/opt/etc/raddb/certs/dh"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/opt/etc/raddb/huntgroups"
preprocess: hints = "/opt/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/opt/etc/raddb/users"
files: acctusersfile = "/opt/etc/raddb/acct_users"
files: preproxy_usersfile = "/opt/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/spool/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/spool/radius/log/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.

tomilius
01-04-2005, 06:53
OK. Um. I worked that out, but I don't think anybody cares how (and it wasn't something simple that would make somebody go "duh" either, unfortunately).

I'm now trying to get authentication using etc_smbpasswd working. When I have the Windows XP computers automatically send their user names and passwords with NTLM encryption, they send their "domains" too ("THOMAS\Tommy", "CYNTHIA\Cindy"). With with_ntdomain_hack on (or with hints), etc_smbpasswd locates the user correctly and finds everything to be in order. With it off, it doesn't. Having the DEFAULT realm redirect everything to local and having realm ntdomain on in radiusd.conf, it successfully seems to strip the domain, but etc_smbpasswd apparently does not received the stripped version because it can't find it.

Of course, using THOMAS\Tommy in smbpasswd, it works. This is undesirable.

UPDATE:
Oh boy. It shouldn't have been so difficult. Anyway, my final solution was to format smbpasswd more simply (User:NTLM Password) and update etc_smbpasswd to reflect that (I had done that MUCH earlier because etc_smbpasswd was having no luck at all without doing that). For my latest big issue, I decided to make a second etc_smbpasswd: etc_smbpasswd_with_domain. So it looks like this:

passwd etc_smbpasswd {
filename = /opt/etc/smbpasswd
format = "*User-Name:NT-Password"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

passwd etc_smbpasswd_with_domain {
filename = /opt/etc/smbpasswd
format = "*Stripped-User-Name:NT-Password"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

My "smbpasswd" (far from it now) looks like this:

# Sample smbpasswd file.
# To use this, set 'encrypt passwords = yes' in the [global]-section
# of /etc/smb.conf
Tommy:NTLMPASS
Connie:NTLMPASS
PocketPC:NTLMPASS

I'll write up a full guide on everything I had to do to get PEAP-MSCHAPv2 working eventually. It's nice though.

Oleg
04-04-2005, 20:55
I've sent him an email. Let's wait for the reply. :)
I've sent two emails to tinypeap@yahoo.com. And I've got no reply so far. He is probably not interested in this, so he is decided to ignore my mails.
For me it looks like I should not spend my time anymore trying to get an answer... If anyone needs this - try contacting this guy...

tomilius
04-04-2005, 23:34
I've tried contacting him once before. No reply. I thought maybe your famousness would knudge him, Oleg. Maybe he's just a silent type who has already begun working on a WL-500g version... but I doubt it.

NOTE: Freeradius has been proven to work functionally--for me :). There have been some troubles getting it to work in anything other than the "debug" single process mode, but it may just be my newbieness. Point is, we've got a fully-working RADIUS server for the WL-500g with client certificates and happiness or PEAP with MSCHAPv2 for those who want to use Windows XP with it... and junk. Yay.

phedny
09-06-2005, 10:12
I'll write up a full guide on everything I had to do to get PEAP-MSCHAPv2 working eventually. It's nice though.

Any luck on that? ;)

I have been working on it FreeRADIUS too, but not with much luck.
First, I installed the freeradius ipk and started working on things.

I now came to the point where my WinXP notebook switching forth and back between: "Verifying identity" and "Obtaining network address"

Both, the screen output of "radiusd -X" and the WinXP behaviour tell me that authentication succeeds:


modcall[authenticate]: module "eap" returns ok for request 30
modcall: group authenticate returns ok for request 30
PEAP: Tunneled authentication was successful.
rlm_eap_peap: SUCCESS
modcall[authenticate]: module "eap" returns handled for request 30
modcall: group authenticate returns handled for request 30


However, for some reason WinXP tries to authenticate again after a couple of seconds of trying to DHCP into my network.

Edit: well, chaning my WinXP to use TKIP instead of AES did the trick. It now sais "Connected" and it's actually working :)

tomilius
09-06-2005, 10:27
How very unusual... TKIP works but not AES? That sounds odd.

I would help you but sounds like you solved the problem--plus I don't deal with wireless much more except for with my Pocket PC which can only use TKIP anyway. I had plenty of problems with freeradius and Windows XP SP2 until I started using Odyssey Client (a trial), but then later I tried it with Windows XP SP2's built-in stuff again and it worked. Hmmmm. "Dodgy."

kvborg
16-06-2005, 14:52
Well, I've been unable to give up. I actually got PEAP fully working about twice, but it was extremely difficult to do so. For the majority of the time, the requests never even get through to freeradius.


WL500gx, 128M usb storage, 64m loop mounted ext, freeradius_1.0.2-2_mipsel.ipk
Everything working/authenting fine when in foreground or debugging, PEAP working, NTradPing working, but in daemon mode no listens:

[admin@(none) /]$ /opt/etc/init.d/S55freeradius

134 admin 528 S -sh
176 admin 3000 S /opt/sbin/radiusd
177 admin 3000 S /opt/sbin/radiusd
178 admin 3000 S /opt/sbin/radiusd
184 admin 384 R ps

cat /var/spool/radius/log/radius.log
Thu Jun 16 13:29:43 2005 : Info: Using deprecated naslist file. Support for thi
s will go away soon.
Thu Jun 16 13:29:43 2005 : Info: rlm_exec: Wait=yes but no output defined. Did y
ou mean output=none?

.. ends here, no secess line

Can somebody help?

tomilius
16-06-2005, 22:19
I never did get that working. I just run it in debug mode with & at the end... I use a lot of switches actually.


/opt/sbin/radiusd -y -z -X -A > /opt/radiusd.log &

But you can take out the "> /opt/radiusd.log " if you want.

kvborg
17-06-2005, 11:55
log is exactly same as your's previously posted in this thread.
tnx

phedny
17-06-2005, 16:48
I updated my S55freeradius to make the last line look like this:

/opt/sbin/radiusd -s &

kvborg
18-06-2005, 13:02
TNX, phedny :)

herrisom
20-06-2005, 14:40
I configured a freeradius server (on an USB memory stick and also externally on a server);
Then I chosen radius 802.1x as authentication method by passing the IP of the radius server,
port and secret; after rebooting wl-500g box the led AIR doesn't blinking (it is always on) and wireless does not respond. Then even the IP is not dynamically allocated and of course no radius
authentication ...

I'm trying to use radius auth with wl-500g. Was somebody able to do that ?

Thanks a lot for any suggestion

tomilius
20-06-2005, 22:48
Yes, they were... Some searching would have done you some good, I'd think.

I haven't messed with my router in days now. And I feel at least a little happier overall :). I'll give you some clues as to what to search for in relation to freeradius:
post-boot
nas
start-nas

Searching for some of those in relation to freeradius should help you find out what needs to be done... or maybe somebody can explain it (again) if not.

herrisom
21-06-2005, 08:52
tomilius thanks a lot for your help

in fact, the AIR led is working now after I added WEP-encryption.
But I still have problems to set up PEAP under windows XP. I guess it is a certificate problem. This is not obvious for me. But I will try to find out a documentation ...

I have 2 questions:

1) isn't there a simple way (no WEP, no certificates ) to setup a simple radius authentication based on username/password?

2) is there any disconnection mechanism (an authenticated user is forced to get out after a time interval)? If yes, where can I find the radius attributes supported by wl500g?

tomilius
22-06-2005, 00:41
1) isn't there a simple way (no WEP, no certificates ) to setup a simple radius authentication based on username/password?
Nope. Not at all. We're lucky to have freeradius, but frankly none of it is simple. An actual radius server would cost a bundle though... Anyway, I got PEAP working once and had it use a samba list of users with NTLM authentication details. I installed the samba package, I think, in order to add samba users... The rest was just configuration, which shouldn't be too hard, as looking back it should be fairly simple compared to TLS and OpenSSL and all of that JUNK--I remember having a lot of problems with everything though, but I don't remember many details, sadly, and it may have just been my poor understanding of how any of it really worked coming into play and my poor luck at finding guides, though they do exist in the far realms of Google, even if they're not completely easy to find. I sort of ditched PEAP when I got to thinking that might make it a lot easier for people to guess/obtain my password, but with MAC address restrictions that shouldn't probably be that much of an issue, since somebody spoofing isn't likely anyway, and I don't believe brute forcing is easily possible with freeradius, but I wasn't sure/didn't think of that. Now that I DO think of it, I almost want to switch to PEAP... but nah. Everything is finally set up and working with TLS (actually, I just remembered--I stopped using wireless for everything but my Pocket PC, but it's working fine with TLS, despite the EXTREME DIFFICULTY--oh my GOSH--I had getting stuff converted to work with it and getting a certificate import utility, blah, that stuff took forever, wasn't actually that hard but tries one's patience). Yeah, so good luck with that.


2) is there any disconnection mechanism (an authenticated user is forced to get out after a time interval)? If yes, where can I find the radius attributes supported by wl500g?

That may be related to freeradius itself. You can set a WPA reauthentication interval, and use WPA... Then you could probably set up something with freeradius--as for radius attributes on the router, err, I doubt it. I'd Google that too.

Sorry I didn't exactly go out and fetch specific answers, but I'd like to stay away from actually manipulating the router (that much) now that it's actually working.

herrisom
08-08-2005, 14:26
Can anybody help me to intsall the module rlm_sql_mysql on wl500g router?

Thanks a lot.

forevertheuni
24-04-2006, 18:06
Pardon me if I'm blind..but noone posted a binary for freeradius right? I'm using 1.9.2.7-7c from oleg.I wanted to put a freeradius in my wl500g because my freeBSD is not working right(linux is ok) I need to search in a ldap db...I'll need to compile it for myself or is there any other way? Oh other thing...will I need external disk?(I'm using EAP-TTLS/EAP-TLS so I'm using certificates too)

Oleg
25-04-2006, 15:40
You've to use ipkg to install freeradius.

forevertheuni
25-04-2006, 19:49
but from source?or is there a package?

mnlg
17-05-2006, 11:06
Hello everyone, I'm sorry to bother you, but I have searched for some time and found no hints to solve my problem and I hope I can at least get pointed to the right place from some of you.

In short, my problem is that I would like to have freeradius fetch user/password information from my smbpasswd.

All of our domain users are registered on the smbpasswd file. I would like to use RADIUS to authenticate for other services, but I would prefer to use the same password repository, than setting up other user/password listings.

I can authenticate against /etc/passwd, but not against my smbpasswd. I have set up an entry for my smbpasswd in radiusd.conf.. but all my attempts are being rejected.

Before cluttering this forum with configuration snippets I would just like to know if what I am after is doable and if anyone has succeeded.

Thank you