Topic: Radius

[vj]

Hi everyone,
just wondering if anyone had successfully implemented a radius server on sme 6.0???

regards
vj

[guest]

here:

http://e-smith.dyndns.org/

says for 5.6, should work for 6.0 also

[Anonymous]

thanks
had a look at it, but it's under "Experimental"
can anybody confirm that it works?

vj

[cc_skavenger]

Yes, this seems to work fine for what I am using it for, radius for Wireless.  I did not use any of the additional dictionaries or the mysql stuff.  All I needed was the clients.conf, radiusd.conf, and users files.

HTH

[AJ]

Hi
  I'm new to thi What is  radius server ?

Aj

[cc_skavenger]

Radius is a remote authentication software.  It can work several ways, but I am using it to authenticate wireless access for my company, along with several other layers of security.

HTH

[WC]

Just curious, do the users need to be added independently (specific to radius) or does this pull from users added to SME via the server manager?

Thanks,

WC

[Jesper Knudsen]

No it can (and will by default) use the SME user and password file.

Still trying to get my d-link AP to work with it though. It does not support WEP which seems to be required by my XP build-in client.

Anyways, not many attempts have been done so far.

Rgds,
Jesper

[Guest]

The easiest way to get Radius to work on a wireless system is to add the AP to the clients.conf file like so:

client IPADDRESS {
     secret     = password
     shortname  = APname
     nastype    = other
}
where the password is the password that is setup in the AP and the APname is what you named the AP.

Next add the users to the users file like so:

#Username
XXXXXX-XXXXXX  Auth-Type := Local, User-Password == "password"

[#Username] is what it says, user's name.
[XXXXXX-XXXXXX] is the mac address of the user's device in a 6 by 6 character set divided by a hyphen.  [Auth-Type := Local] tells radius to check the client.conf file for the password for that client.  [User-Password == "password"] this line assigns a password to the user device since it really has no way of sending a password.  Every time that this user connects, this password will be used to authenticate it.

In radius.conf, don't forget to specify the port to be used, such as 1812.

Configure the AP with the same password you have used in these files and it should work just fine.

HTH

ps, XP does not need wep enabled unless you enable it on the AP.

[Knuddi]

Adding the Client portion helped a lot and the AP now connects to the RADIUS server. I still have problems authenticating users. I have a SME user called "ssw" and I try to login with the SME password. It seems to end up trying to validate correctly againts the unix Password stored. To me the "Could not find proper Chap-Password attribute in request" indicates that the password is not passed along my Win2k/XP Client request and cannot be validated?

Any good ideas?

Thread 3 handling request 2, (1 handled so far)
User-Name = "ssw"
NAS-IP-Address = 192.168.212.50
NAS-Port = 0
Called-Station-Id = "00-40-05-D0-7C-50"
Calling-Station-Id = "00-05-5D-5A-A9-17"
NAS-Identifier = "DWL-900AP+"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\001\000\010\001ssw"
Message-Authenticator = 0xa3c10e7331240ca2cd4887cc85f6a101
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns ok
rlm_realm: No '@' in User-Name = "ssw", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Thread 3 waiting to be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Sending Access-Reject of id 78 to 192.168.212.50:1239

[Guest]

Adding the Client portion helped a lot and the AP now connects to the RADIUS server. I still have problems authenticating users. I have a SME user called "ssw" and I try to login with the SME password. It seems to end up trying to validate correctly againts the unix Password stored. To me the "Could not find proper Chap-Password attribute in request" indicates that the password is not passed along my Win2k/XP Client request and cannot be validated?

Any good ideas?

Thread 3 handling request 2, (1 handled so far)
User-Name = "ssw"
NAS-IP-Address = 192.168.212.50
NAS-Port = 0
Called-Station-Id = "00-40-05-D0-7C-50"
Calling-Station-Id = "00-05-5D-5A-A9-17"
NAS-Identifier = "DWL-900AP+"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\001\000\010\001ssw"
Message-Authenticator = 0xa3c10e7331240ca2cd4887cc85f6a101
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns ok
rlm_realm: No '@' in User-Name = "ssw", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid

Not sure what the problem is, looks like it is a radiusd.conf config problem.  I would read the rlm_unix and radiusd.conf files and see what it says about using the /etc/passwd file for authentication.

HTH

[WC]

Hmm...I was wondering how the realm parameter is set/what it is set to.  From the log that ?Jesper? posted, it seems like RADIUS is looking for <username>@<realm>, when the @<realm> portion isn't sent, it defaults to "NULL", then fails.
I'll see if I can get my setup just as far as where the user authentication fails today & will keep playing on my side too.

Thanks much,

WC

[Smeily]

I've been waiting for a loong time to see if some one
continued this thread....
Can anyone please verify that they have radius up
running and working AND describe how in detail the
server (config-files), the AP and the users are set up?
Thank's in advance.

[Smeily]

Please someone....?

[cc_skavenger]

it does work.  For documenation, you can find it at http://www.freeradius.org.  Configuration will be specific to your needs.  Have been using it with my wireless network, has not let me down yet.

[Knuddi]

cc_skavenger did you create the certificates that seem to be needed for Windows 802.1x Clients or did you live without them?

I compiled a new RPM with the final release 1.0.0 of FreeRadius and tried again but once again without luck. Once again the AP can connect to the server (via clients.conf configuration) but the WLAN laptop will not get authenticated even though I have created a user in "users". Notice that the user is recogniced but that the password is not found in the request?!?!

rad_recv: Access-Request packet from host 192.168.212.50:1239, id=25, length=127
        User-Name = "jkn"
        NAS-IP-Address = 192.168.212.50
        NAS-Port = 0
        Called-Station-Id = "00-40-05-D0-7C-50"
        Calling-Station-Id = "00-05-5D-5A-A9-17"
        NAS-Identifier = "DWL-900AP+"
        Framed-MTU = 1380
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02010008016a6b6e
        Message-Authenticator = 0xb94c73581c0a0a342a5b57f5d2f5ca85
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "jkn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 1 length 8
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched jkn at 94
radius_xlat:  'Hello, jkn'
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.

[cc_skavenger]

I am only authenticating what devices can connect to the wireless network.  That is the only thing that my radius server seems to be able to do.  That is all I could get it to do.  I played with this for several months before finding an article on how to set it up using local authentication, not mysql or anything else. I have not been able to get it to assign IPs like I should be able to or anything else I should be able to do with radius.  

Here is a line from my users file:

00X0X3-1X2Xec    Auth-Type := Local, User-Password == "XXXXXXX"

When a wireless client connects to the AP, it sends its mac address as the user and the AP supplies the password that you setup in the AP.  If both match a line in the users file, it gives it access; otherwise, it is denied.  The mac address is sent in all lower case and in a 6 X 6 pattern, ie. abcabc-abcabc.  

HTH

[Knuddi]

But the strange thing is that it matches the user from the users file "jkn" by doing the 'Hello, jkn' but then cannot see a password in the request from the client so it cannot match with the password I have written in the users file.

"jkn"   Auth-Type := Local, User-Password == "XXXXXXX"
        Reply-Message = "Hello, %u"

[cc_skavenger]

can you post some of the radius log.  

Marco

[Knuddi]

Which log would you want more than the snippet from my last port? I run RADIUS as Radiusd -X while I try to figure out what is wrong.

[jsturm]

Is there a graphical user interface for freeRadius on SME 6.0?
I can't find it, please help me

THX
Achim

[Medimo]

No there isn't.
Log files can be viewed using the server-manager
Setup must be done in /etc/raddb/

clients.conf - who can do requests
users - which users can be authenticated and how
radiusd.conf - general setup

[duncan]

Out of curiosity - why use the script "radiusrestart" as opposed to "service radiusd restart".

[cc_skavenger]

Easier for my non linux guys to remember.  

 
Just kidding, totally forgot about service whatever restart at that point in the night.  Got used to using it and never changed.  Seriously, my guys remember that better then service whatever restart.

[duncan]

 And here was me expecting some little discussed - highly important - freeradius related reason.

[cc_skavenger]

sorry

[buknoy]

I once had a RH 7.3 FreeRADIUS server installed for me. Although I have no idea with it's technicalities, I tried to modify the Freeradius by making a backup of the /dialupadmin directory. I protected the folder with .htaccess to make sure only allowed clients can access it.

Next, I modified the PHP scripts pertaining to queries and deleted all admin-related scripts. Whenever my dialup clients tries to access this particular folder, Apache authenticates them. After authentication, the PHP scripts uses the authenticated user's info to display only his usage plus an invoice. (This is my own idea of using it for client-side web interface)

The original /dialupadmin folder is also protected as I use it for administration.

All worked well until I crashed my server and the person I had it installed is out of reach. I cannot reconstruct it because of my limited knowledge.

Can somebody show me how to set up an SME 6 server with a CISCO 2511 router using the sme-radius-1.0-1? What configuration files should I modify?  

[idyll]

Hello cc_skavenger...

is your "how to" still available in any form? Your link at the top of the thread is broken.

thanks in advance.

regards,

patrick

[Franco]

cc_skavenger,
I'm tryingo to do the same for my wireless net, can you share how you implemented it?
I have it running and #radiusd -X returns ok, I have changed the settings on radiusd.conf and clients.conf, added an user and password on the users file, and need directions on where to go now!
Regards,

[Medimo]

Am no expert on this, but on http://www.freeradius.org/mod_auth_radius/ you can find an Apache module to use radius authentication. You can use any radius server, so for example your own freeradius one. This way you can also implement some radius token authentication.

Richard

[cc_skavenger]

Sure,

I configured radius as follows.  My wireless network consists of many AP-Plus's, many AP-1000s, and countless other brands of access points too numerous to mention.

Edit radiusd.conf, configure items necessary for your network.  This is how my file is configured:
 

Code: [Select]

delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 1.2.3.4
port = 1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no  <--- Don't want users with duplicate macs on the network
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no

Edit clients.conf, add an entry that looks something like this:

EXAMPLE:

Code: [Select]

client 1.2.3.4{
        secret          = secret word
        shortname       = AP's name
        nastype         = other
}
The secret word is going to be used as the universal password from the AP to the server.  The AP must be setup to use the same word as what is put in here, anything else will never work.  The AP's name is just for the logs, tells you where the user authenticated at.

Edit users file, add an entry similar to this:

EXAMPLE:

Code: [Select]

010203-040506  Auth-Type := Local, User-Password == "secret word"

010203-040506 is the mac address of the wireless device to be authenticated.  The secret word is the same as what you used in the AP and the clients.conf file.  

That should be it.  I add users to the user file and restart the radiusd service.  Now, if the user has been denied by the AP before they were added to the list, the AP must be rebooted or they will never get authenticated.  I have set my AP's to authenticate every 15 minutes, but for some reason, when someone is denied, they are denied till I reboot.  Not really a problem for me, but might be for someone else.

HTH

[Franco]

Excellent explanation Marco,
I'll see if I can make dialupadmin do the work of managing these for me.
Since you mentioned many Wireless AP's and the rebooting issue, let me ask you:
-How do you manage the rebooting from far away? I saw one of the Seatle Wireless TV once, where a group had managed to create a second network just to manage that side.

Once again,
Thank you!

[cc_skavenger]

I use the vpn service built into SME.  My servers are setup in server/gateway mode, so I can get to them from anywhere.  I setup the server so that the vpn service only gave out certain IPs, so that I wouldn't land on a customer radio IP. The radios are on a different subnet, usually a 10.X.X.X.  The routers are all on some kind of private subnet, usally a 172.X.X.X or 192.168.X.X.  The AP's, backhauls and radios are all on the same subnet.  I vpn into the SME server that handles the radius / bandwidth control and I can administer any of the radios that I need to (firmware or check to see if they are connected, etc).  This is for any of the remote sites that I also have to maintain.  If I am local, I have several IPs loaded in my laptop nic so that I can see all the local IP networks.  Kind of a strange network, but I didn't create it and I am not allowed to change it either.
For the VPN to work, I am only behind a cheap hardware router.  I had problems using the vpn from behind my SME caching gateway, so I put myself and my co-workers behind a hardware router and we don't have anymore problems.  
Hope this answered your questions.

[Franco]

I'm using the VPN services to connect, what happens to me sometimes is that I have a hard time tunneling from behind an SME to another SME. I'm trying to get OpenVPN working (from knuddi) and hopefully my problems will go away. What I meant was rebooting the AP from far away. Let me explain:
Some of my AP's are as far as 70Km distance. So if they get stuck and need a reboot, I have to drive that far. So was looking for solutions for this problem, not that it happen often, but it certainly would help  

Thanks,

[cc_skavenger]

oh, sorry.  what type of ap?  I haven't had any APs lockup like that since I replaced some senao APs and some xi-1500 APs (they didn't do radius, only internal mac authentication).  Is there any kind of server on the otherside of the link, by the AP?  There was a link for controlling a device with a linux server.  It was a home automation kit from x-10.  There was a little script that would ping the device or a website, no response, it would reboot a dsl router.  Could be used for the AP...Will look for the site.

[cc_skavenger]

here are the sites:

http://www.digitalhermit.com/linux/dsl_reboot.html

http://ralf.alfray.com/photos/Misc/DSL-X10/

http://www.x10.com/automation/firecracker.htm

[kirkf]

Hello.  I've been reading through a few threads about radius and dialup_admin, but can't seem to find the sme freeradius rpm.  I've found numerous references to it, but no actual rpm... Are you using that, or just installing the tar from freeradius.org?

Thanks!

Kirk

[ajkeane]

I believe you can find it here in the downloads area.

http://sme.swerts-knudsen.dk/

Tony