Chance for RADIUS Server on the router itself!

[tomilius]

BUMP... why is it that nobody is interested in this? It may well work without the sources, it's just that the user manipulation is dead. I can't test it because I don't have a USB filesystem but it seemed to run in "run" mode.

[tomilius]

BUMP... Well, after more extensive testing I got a segmentation fault at the authorization request of my Pocket PC. But... if this router could get a RADIUS server it would make it so secure and neat. I don't know why people don't agree :'(

[Pirat]

I'm interesstet in!

[silver71]

http://www.lausch.at/radius.html

could it help ?

silver

[xopr]

It is quite difficult to find descent information for the TinyPEAP server, but with the windows binaries, complete configuration files and windows readme , I managed the following:
I ran peapd adduser xopr mypass in windows, and it wil add a line to peapusers.

I put all the files (peapusers, waKey.pem, waCert.pem) in the same folder on a flash disk, except the peapd.conf file, which has to be in the /etc/peapd/ dir. (which hasn't been made yet)
with VI I remove the blank lines and linefeeds (^M)

When everything is in place, I start the server, and try to connect wireless.
Console responds with:

Code:

Listening on 0.0.0.0, UDP port 1812

After a few packet exchanges, I get the username/password dialog.
After entering the correct data, I get:

Code:

---Received Packet---
Packet Size: 121
Code: 1
Ident: 0
Length: 121

Segmentation fault

So the segmentation problem is everywhere, and therefore doesn't run correctly.


Also, I had to enter a wep key in the web interface, otherwise my ssid disappears completely

[Oleg]

Try contacting author directly and ask him if he is willing to provide package for inclusion to the firmware. Also ask for prerequisites, such as libraries, etc.
Using binary extracted from the firmware is not legal, unless license agreement allows that.

[hugo]

Binary are not exctracted from firmware, they come directly from the author who send them to me.

[tomilius]

Yep, that segmentation fault is what I was talking about. I did exactly what you did, xopr. I contacted the e-mail address on the site yesterday and asked in the simplest way possible if they could please either release the source or a wl-500g version. No reply yet.

Either way, has anybody with a USB stick gotten free-radius to work on the router? I saw the ipk for it... It'd be nice if there was some way to shrink it down or maybe take the essential pieces from the source and fit them into the firmware for those of us too cheap/lazy to buy a USB flash device...

[tomilius]

OK, I'm sort of a newbie when it comes to this stuff but does this look like it would be of any use? Source code is available... pardon me if this will not work.

http://hostap.epitest.fi/hostapd/

hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator

hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. The current version supports Linux (Host AP, madwifi, Prism54 drivers) and FreeBSD (net80211).

hostapd is designed to be a "daemon" program that runs in the background and acts as the backend component controlling authentication. hostapd supports separate frontend programs and an example text-based frontend, hostapd_cli, is included with hostapd.
Supported WPA/IEEE 802.11i/EAP/IEEE 802.1X features

* WPA-PSK ("WPA-Personal")
* WPA with EAP (with integrated EAP authenticator or an external RADIUS authentication server) ("WPA-Enterprise")
* key management for CCMP, TKIP, WEP104, WEP40
* WPA and full IEEE 802.11i/RSN/WPA2
* RSN: PMKSA caching, pre-authentication
* RADIUS accounting
* RADIUS authentication server with EAP

Supported EAP methods (integrated EAP authenticator and RADIUS authentication server)

* EAP-TLS
* EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
* EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
* EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
* EAP-TTLS/EAP-MD5-Challenge
* EAP-TTLS/EAP-GTC
* EAP-TTLS/EAP-MSCHAPv2
* EAP-TTLS/MSCHAPv2
* EAP-TTLS/MSCHAP
* EAP-TTLS/PAP
* EAP-TTLS/CHAP
* EAP-SIM

Following methods are also supported, but since they do not generate keying material, they cannot be used with WPA or IEEE 802.1X WEP keying.

* EAP-MD5-Challenge
* EAP-MSCHAPv2
* EAP-GTC

Supported wireless cards/drivers

* Host AP driver for Prism2/2.5/3
* madwifi (Atheros ar521x)
* Prism54.org (Prism GT/Duette/Indigo)
* BSD net80211 layer (e.g., Atheros driver) (FreeBSD 6-CURRENT)

[Oleg]

Could someone give me a contact e-mail?
This binary also requires libcrypto.so, which is most likely the library made by broadcom. It's stripped in the wl500g builds, that's why it could segfault at some point.
I will then try to negotiate the things with author.

[garimo]

Either way, has anybody with a USB stick gotten free-radius to work on the router? I saw the ipk for it... It'd be nice if there was some way to shrink it down or maybe take the essential pieces from the source and fit them into the firmware for those of us too cheap/lazy to buy a USB flash device...

Thanks to Oleg it seems to me that freeradius is working out of the box.

radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/etc/raddb/proxy.conf
Config: including file: /opt/etc/raddb/clients.conf
Config: including file: /opt/etc/raddb/snmp.conf
Config: including file: /opt/etc/raddb/eap.conf
Config: including file: /opt/etc/raddb/sql.conf
main: prefix = "/opt"
main: localstatedir = "/opt/var"
main: logdir = "/opt/var/spool/radius/log"
main: libdir = "/opt/lib"
main: radacctdir = "/opt/var/spool/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/opt/var/spool/radius/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd.pid"
main: bind_address = 192.168.1.1 IP address [192.168.1.1]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/opt/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/opt/var/spool/radius/log/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/opt/etc/raddb/huntgroups"
preprocess: hints = "/opt/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/opt/etc/raddb/users"
files: acctusersfile = "/opt/etc/raddb/acct_users"
files: preproxy_usersfile = "/opt/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/opt/var/spool/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/opt/var/spool/radius/log/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.1.1:1812
Listening on accounting 192.168.1.1:1813
Listening on proxy 192.168.1.1:1814
Ready to process requests.

This is WL-500g running latest Oleg Firmware 1.2.9.7CR4 with ipkg installed

[tomilius]

Ah, that's very good, though I hope it won't discourage attempts to get a smaller version running (free-radius is pretty hefty--won't even fit in ramfs without causing my router to reboot).

[hugo]

Could someone give me a contact e-mail?
This binary also requires libcrypto.so, which is most likely the library made by broadcom. It's stripped in the wl500g builds, that's why it could segfault at some point.
I will then try to negotiate the things with author.

I got all my binary from Takehiro at tinypeap@yahoo.com. He is responsive, but I don't know if he want's to share the source.

[Oleg]

I've sent him an email. Let's wait for the reply.

[tomilius]

My pen drive came in and I set it all up and I'm now trying to get freeradius working... I'm using a guide to set up PEAP and MSCHAPv2.

/opt/sbin/radiusd: can't load library 'libltdl.so.3'

Ah. libtool.

Alright, alright. I'll update when I get a clue.