Topic: Radius

[vj]

Hi everyone,
just wondering if anyone had successfully implemented a radius server on sme 6.0???

regards
vj

[guest]

here:

http://e-smith.dyndns.org/

says for 5.6, should work for 6.0 also

[Anonymous]

thanks
had a look at it, but it's under "Experimental"
can anybody confirm that it works?

vj

[cc_skavenger]

Yes, this seems to work fine for what I am using it for, radius for Wireless.  I did not use any of the additional dictionaries or the mysql stuff.  All I needed was the clients.conf, radiusd.conf, and users files.

HTH

[AJ]

Hi
  I'm new to thi What is  radius server ?

Aj

[cc_skavenger]

Radius is a remote authentication software.  It can work several ways, but I am using it to authenticate wireless access for my company, along with several other layers of security.

HTH

[WC]

Just curious, do the users need to be added independently (specific to radius) or does this pull from users added to SME via the server manager?

Thanks,

WC

[Jesper Knudsen]

No it can (and will by default) use the SME user and password file.

Still trying to get my d-link AP to work with it though. It does not support WEP which seems to be required by my XP build-in client.

Anyways, not many attempts have been done so far.

Rgds,
Jesper

[Guest]

The easiest way to get Radius to work on a wireless system is to add the AP to the clients.conf file like so:

client IPADDRESS {
     secret     = password
     shortname  = APname
     nastype    = other
}
where the password is the password that is setup in the AP and the APname is what you named the AP.

Next add the users to the users file like so:

#Username
XXXXXX-XXXXXX  Auth-Type := Local, User-Password == "password"

[#Username] is what it says, user's name.
[XXXXXX-XXXXXX] is the mac address of the user's device in a 6 by 6 character set divided by a hyphen.  [Auth-Type := Local] tells radius to check the client.conf file for the password for that client.  [User-Password == "password"] this line assigns a password to the user device since it really has no way of sending a password.  Every time that this user connects, this password will be used to authenticate it.

In radius.conf, don't forget to specify the port to be used, such as 1812.

Configure the AP with the same password you have used in these files and it should work just fine.

HTH

ps, XP does not need wep enabled unless you enable it on the AP.

[Knuddi]

Adding the Client portion helped a lot and the AP now connects to the RADIUS server. I still have problems authenticating users. I have a SME user called "ssw" and I try to login with the SME password. It seems to end up trying to validate correctly againts the unix Password stored. To me the "Could not find proper Chap-Password attribute in request" indicates that the password is not passed along my Win2k/XP Client request and cannot be validated?

Any good ideas?

Thread 3 handling request 2, (1 handled so far)
User-Name = "ssw"
NAS-IP-Address = 192.168.212.50
NAS-Port = 0
Called-Station-Id = "00-40-05-D0-7C-50"
Calling-Station-Id = "00-05-5D-5A-A9-17"
NAS-Identifier = "DWL-900AP+"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\001\000\010\001ssw"
Message-Authenticator = 0xa3c10e7331240ca2cd4887cc85f6a101
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns ok
rlm_realm: No '@' in User-Name = "ssw", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Thread 3 waiting to be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Sending Access-Reject of id 78 to 192.168.212.50:1239

[Guest]

Adding the Client portion helped a lot and the AP now connects to the RADIUS server. I still have problems authenticating users. I have a SME user called "ssw" and I try to login with the SME password. It seems to end up trying to validate correctly againts the unix Password stored. To me the "Could not find proper Chap-Password attribute in request" indicates that the password is not passed along my Win2k/XP Client request and cannot be validated?

Any good ideas?

Thread 3 handling request 2, (1 handled so far)
User-Name = "ssw"
NAS-IP-Address = 192.168.212.50
NAS-Port = 0
Called-Station-Id = "00-40-05-D0-7C-50"
Calling-Station-Id = "00-05-5D-5A-A9-17"
NAS-Identifier = "DWL-900AP+"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\001\000\010\001ssw"
Message-Authenticator = 0xa3c10e7331240ca2cd4887cc85f6a101
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns ok
rlm_realm: No '@' in User-Name = "ssw", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid

Not sure what the problem is, looks like it is a radiusd.conf config problem.  I would read the rlm_unix and radiusd.conf files and see what it says about using the /etc/passwd file for authentication.

HTH

[WC]

Hmm...I was wondering how the realm parameter is set/what it is set to.  From the log that ?Jesper? posted, it seems like RADIUS is looking for <username>@<realm>, when the @<realm> portion isn't sent, it defaults to "NULL", then fails.
I'll see if I can get my setup just as far as where the user authentication fails today & will keep playing on my side too.

Thanks much,

WC

[Smeily]

I've been waiting for a loong time to see if some one
continued this thread....
Can anyone please verify that they have radius up
running and working AND describe how in detail the
server (config-files), the AP and the users are set up?
Thank's in advance.

[Smeily]

Please someone....?

[cc_skavenger]

it does work.  For documenation, you can find it at http://www.freeradius.org.  Configuration will be specific to your needs.  Have been using it with my wireless network, has not let me down yet.