Chance for RADIUS Server on the router itself!

[tomilius]

OK. Well, I figured it out mostly. My latest issue was that it would not notice or log authentication attempts at all (it wasn't getting them). I assume I did some SSL certificate stuff incorrectly. What a total pain. I didn't know XP SP2 supported no automatic authentication without a certificate. Ridiculous. I'm happier with a secure password...

Or an easier way like tinypeap and a simple XP client :-D

[tomilius]

Well, I've been unable to give up. I actually got PEAP fully working about twice, but it was extremely difficult to do so. For the majority of the time, the requests never even get through to freeradius.

[admin@AsusRouter root]$ radiusd -y -z -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/etc/raddb/proxy.conf
Config: including file: /opt/etc/raddb/clients.conf
Config: including file: /opt/etc/raddb/snmp.conf
Config: including file: /opt/etc/raddb/eap.conf
Config: including file: /opt/etc/raddb/sql.conf
main: prefix = "/opt"
main: localstatedir = "/opt/var"
main: logdir = "/var/spool/radius/log"
main: libdir = "/opt/lib"
main: radacctdir = "/var/spool/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/spool/radius/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/opt/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/spool/radius/log/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/opt/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/opt/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/opt/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/opt/etc/raddb/certs/dh"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/opt/etc/raddb/huntgroups"
preprocess: hints = "/opt/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/opt/etc/raddb/users"
files: acctusersfile = "/opt/etc/raddb/acct_users"
files: preproxy_usersfile = "/opt/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/spool/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/spool/radius/log/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.

[tomilius]

OK. Um. I worked that out, but I don't think anybody cares how (and it wasn't something simple that would make somebody go "duh" either, unfortunately).

I'm now trying to get authentication using etc_smbpasswd working. When I have the Windows XP computers automatically send their user names and passwords with NTLM encryption, they send their "domains" too ("THOMAS\Tommy", "CYNTHIA\Cindy"). With with_ntdomain_hack on (or with hints), etc_smbpasswd locates the user correctly and finds everything to be in order. With it off, it doesn't. Having the DEFAULT realm redirect everything to local and having realm ntdomain on in radiusd.conf, it successfully seems to strip the domain, but etc_smbpasswd apparently does not received the stripped version because it can't find it.

Of course, using THOMAS\Tommy in smbpasswd, it works. This is undesirable.

UPDATE:
Oh boy. It shouldn't have been so difficult. Anyway, my final solution was to format smbpasswd more simply (User:NTLM Password) and update etc_smbpasswd to reflect that (I had done that MUCH earlier because etc_smbpasswd was having no luck at all without doing that). For my latest big issue, I decided to make a second etc_smbpasswd: etc_smbpasswd_with_domain. So it looks like this:

passwd etc_smbpasswd {
filename = /opt/etc/smbpasswd
format = "*User-Name:NT-Password"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

passwd etc_smbpasswd_with_domain {
filename = /opt/etc/smbpasswd
format = "*Stripped-User-Name:NT-Password"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

My "smbpasswd" (far from it now) looks like this:

# Sample smbpasswd file.
# To use this, set 'encrypt passwords = yes' in the [global]-section
# of /etc/smb.conf
Tommy:NTLMPASS
Connie:NTLMPASS
PocketPC:NTLMPASS

I'll write up a full guide on everything I had to do to get PEAP-MSCHAPv2 working eventually. It's nice though.

[Oleg]

I've sent him an email. Let's wait for the reply.

I've sent two emails to tinypeap@yahoo.com. And I've got no reply so far. He is probably not interested in this, so he is decided to ignore my mails.
For me it looks like I should not spend my time anymore trying to get an answer... If anyone needs this - try contacting this guy...

[tomilius]

I've tried contacting him once before. No reply. I thought maybe your famousness would knudge him, Oleg. Maybe he's just a silent type who has already begun working on a WL-500g version... but I doubt it.

NOTE: Freeradius has been proven to work functionally--for me . There have been some troubles getting it to work in anything other than the "debug" single process mode, but it may just be my newbieness. Point is, we've got a fully-working RADIUS server for the WL-500g with client certificates and happiness or PEAP with MSCHAPv2 for those who want to use Windows XP with it... and junk. Yay.

[phedny]

I'll write up a full guide on everything I had to do to get PEAP-MSCHAPv2 working eventually. It's nice though.

Any luck on that?

I have been working on it FreeRADIUS too, but not with much luck.
First, I installed the freeradius ipk and started working on things.

I now came to the point where my WinXP notebook switching forth and back between: "Verifying identity" and "Obtaining network address"

Both, the screen output of "radiusd -X" and the WinXP behaviour tell me that authentication succeeds:

Code:

  modcall[authenticate]: module "eap" returns ok for request 30
modcall: group authenticate returns ok for request 30
  PEAP: Tunneled authentication was successful.
  rlm_eap_peap: SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 30
modcall: group authenticate returns handled for request 30

However, for some reason WinXP tries to authenticate again after a couple of seconds of trying to DHCP into my network.

Edit: well, chaning my WinXP to use TKIP instead of AES did the trick. It now sais "Connected" and it's actually working

[tomilius]

How very unusual... TKIP works but not AES? That sounds odd.

I would help you but sounds like you solved the problem--plus I don't deal with wireless much more except for with my Pocket PC which can only use TKIP anyway. I had plenty of problems with freeradius and Windows XP SP2 until I started using Odyssey Client (a trial), but then later I tried it with Windows XP SP2's built-in stuff again and it worked. Hmmmm. "Dodgy."

[kvborg]

Well, I've been unable to give up. I actually got PEAP fully working about twice, but it was extremely difficult to do so. For the majority of the time, the requests never even get through to freeradius.

WL500gx, 128M usb storage, 64m loop mounted ext, freeradius_1.0.2-2_mipsel.ipk
Everything working/authenting fine when in foreground or debugging, PEAP working, NTradPing working, but in daemon mode no listens:

[admin@(none) /]$ /opt/etc/init.d/S55freeradius

134 admin 528 S -sh
176 admin 3000 S /opt/sbin/radiusd
177 admin 3000 S /opt/sbin/radiusd
178 admin 3000 S /opt/sbin/radiusd
184 admin 384 R ps

cat /var/spool/radius/log/radius.log
Thu Jun 16 13:29:43 2005 : Info: Using deprecated naslist file. Support for thi
s will go away soon.
Thu Jun 16 13:29:43 2005 : Info: rlm_exec: Wait=yes but no output defined. Did y
ou mean output=none?

.. ends here, no secess line

Can somebody help?

[tomilius]

I never did get that working. I just run it in debug mode with & at the end... I use a lot of switches actually.

Code:

/opt/sbin/radiusd -y -z -X -A > /opt/radiusd.log &

But you can take out the "> /opt/radiusd.log " if you want.

[kvborg]

log is exactly same as your's previously posted in this thread.
tnx

[phedny]

I updated my S55freeradius to make the last line look like this:

Code:

/opt/sbin/radiusd -s &

[kvborg]

TNX, phedny

[herrisom]

I configured a freeradius server (on an USB memory stick and also externally on a server);
Then I chosen radius 802.1x as authentication method by passing the IP of the radius server,
port and secret; after rebooting wl-500g box the led AIR doesn't blinking (it is always on) and wireless does not respond. Then even the IP is not dynamically allocated and of course no radius
authentication ...

I'm trying to use radius auth with wl-500g. Was somebody able to do that ?

Thanks a lot for any suggestion

[tomilius]

Yes, they were... Some searching would have done you some good, I'd think.

I haven't messed with my router in days now. And I feel at least a little happier overall . I'll give you some clues as to what to search for in relation to freeradius:
post-boot
nas
start-nas

Searching for some of those in relation to freeradius should help you find out what needs to be done... or maybe somebody can explain it (again) if not.

[herrisom]

tomilius thanks a lot for your help

in fact, the AIR led is working now after I added WEP-encryption.
But I still have problems to set up PEAP under windows XP. I guess it is a certificate problem. This is not obvious for me. But I will try to find out a documentation ...

I have 2 questions:

1) isn't there a simple way (no WEP, no certificates ) to setup a simple radius authentication based on username/password?

2) is there any disconnection mechanism (an authenticated user is forced to get out after a time interval)? If yes, where can I find the radius attributes supported by wl500g?