Topic: radius

[frank3427]

I would like to know if anyone is using the radius server on SME7?

[gordonr]

I would like to know if anyone is using the radius server on SME7?

It is being used for PPTP authentication.

[william_syd]

Can it be used outside of SME7 ?

Say to authenticate users for Openfiler ?

[gordonr]

Can it be used outside of SME7 ?

Say to authenticate users for Openfiler ?

It's the freeradius package from CentOS. You'll need to work out the configuration magic required, and if we need to change the base configuration to help, please raise a bug. Thanks.

[slords]

The framework is already in place for radius.  In order to use it please define the client host in hostnames and addresses.

Once you have done this then you need to define the shared radius key for that host.  You can do this with the following command:

db hosts setprop {full hostname} RadiusKey {random string of characters}
signal-event remoteaccess-update

ex.

db hosts setprop wireless.mydomain.com RadiusKey abcdefg123456789
signal-event remoteaccess-update

After this I'd go to the device defined by wireless.mydomain.com and point to the internal interface ip for the server and enter the same key.

I've successfully implemented 802.1x (WPA) for many different access points this way.  Auth parameters are for PEAP-MSCHAP2.  Any defined user with a valid password should be allowed to authenticate.

[pepe]

The framework is already in place for radius.  In order to use it please define the client host in hostnames and addresses.

Eh.. could you be more specific, please ? Where do we find this ?
Tnx.[/quote]

[william_syd]

Where do we find this ?
Tnx.

[/quote]

In the server manager I would say.

[dean-za]

Shad

I tried what you said but I cant see the radiusd server is even running. If I netstat -an | grep tcp I do not seee any service running on port 1812 or 1813. A nmap scan from a seperate machine yields the same results.  I even tried this

config set radiusd service access public status enabled TCPPorts 1812,1813
signal-event remoteaccess-update

the radius.conf file says to bind to * and port = 0 which should mean that it uses all interfaces and read the port numbers from /etc/sevices. All of this seems correct and yet no service running. Any ideas on where to look ?

Thanks
Dean

[JonB]

dean-za

Code: [Select]

config set radiusd service access public status enabled TCPPorts 1812,1813

SME7 does not yet implement opening multiple comma seperated ports using TCPPorts. You will need to open the ports individually using TCPPort.

This function and opening a range of ports TCPPort xxxx:xxxx will not be available till SME7.1.


Jon

[tartjagger]

I've successfully implemented 802.1x (WPA) for many different access points this way.  Auth parameters are for PEAP-MSCHAP2.  Any defined user with a valid password should be allowed to authenticate.

I followed the instructions given and it worked a treat using WEP encryption. It was necessary to set the Access point authentication to 'open' which threw me for a while.

[Franco]

What would the advantage be? I have Radius authenticating the MAC address access, but not the WPA keys. Do the keys get rotated from time to time?

[dean-za]

but the service should still be available to the local network , how else can i check why i cant see any service running on those ports ?

Dean

[JonB]

dean-za,

I think you will find that the firewall is not set to allow local access.

do

Code: [Select]

config setprop radiusd access private TCPPort 1812
config set radius-acct service status enabled access private TCPPort 1813
signal-event remoteaccess-update

Code: [Select]

iptables -L

should show the ports open.

Jon

[brit-dub]

Hi all

I'm was looking to set up a freeradius server for use with http://www.locustworld.com/ but after reading this on the forum I'm given the idea I might be able to use sme server 7, or can I ?

or am I barking up the wrong tree ? any advice would me most welcome.

Just one other thing does the dialupadmin web interface work ? or can it be got working ?

TIA  

Brit

[Franco]

The framework is already in place for radius.  In order to use it please define the client host in hostnames and addresses.

Once you have done this then you need to define the shared radius key for that host.  You can do this with the following command:

db hosts setprop {full hostname} RadiusKey {random string of characters}
signal-event remoteaccess-update

ex.

db hosts setprop wireless.mydomain.com RadiusKey abcdefg123456789
signal-event remoteaccess-update

After this I'd go to the device defined by wireless.mydomain.com and point to the internal interface ip for the server and enter the same key.

I've successfully implemented 802.1x (WPA) for many different access points this way.  Auth parameters are for PEAP-MSCHAP2.  Any defined user with a valid password should be allowed to authenticate.

This example shows how to add a client to the database and eventually to the /etc/raddb/clients.conf
Now how are you implementing the rest, such as users and MAC?

Thanks,

[brick]

OK, I'm also trying to get a grip on the radius server.
I have set a DHCP server besides the SME where it it reads from a radius server (SME). I used the commands above and set the NAS and it works. But it doesn't accept my client:

Code: [Select]

rad_recv: Access-Request packet from host 172.16.0.2:32771, id=113, length=110
        NAS-Port-Type = Ethernet
        NAS-Port = 2210398321
        Calling-Station-Id = "1:0:3:93:9a:33:2"
        Called-Station-Id = "dhcp"
        User-Name = "00:03:93:9A:33:02"
        User-Password = ""
        NAS-Identifier = "Talles"
        NAS-IP-Address = 172.16.0.2
rad_recv: Access-Request packet from host 172.16.0.2:32771, id=113, length=110
Sending Access-Reject of id 113 to 172.16.0.2:32771

Here I have set the MAC (00:03:93:9A:33:02) and IP on the Hostnames and Addresses of the SME.
I supposed the Radius would pass the information to my DHCP server based on what I have set in the Hostnames and Addresses Panel. Am I wrong?

[Franco]

Ahhh how I wish  
I don't think the hostnames and addresses write to radius, you can in fact turn the radius off. It writes an entry for the DHCP and DNS.
Correct me here if I am wrong, but you can only use the radius server as the PEAP-MSCHAP2 parameter against the username/address on the SME Server.

[HACKERSOFT2011]

Any update on this?

It seems that port 1812 and 1813 are closed. How to open it? Or, what is the port used by radiusd on smeserver?

I tried telnet to smeserver on port 1812 but it says:

Connecting To 192.168.1.9...Could not open connection to the host, on port 1812: Connect failed

telnet to other ports are okay, e.g. 80...

I also did:
nc -v -w 1 localhost -z 1810-1815

with the following results
nc: connect to localhost port 1810 (tcp) failed: Connection refused
nc: connect to localhost port 1811 (tcp) failed: Connection refused
nc: connect to localhost port 1812 (tcp) failed: Connection refused
nc: connect to localhost port 1813 (tcp) failed: Connection refused
nc: connect to localhost port 1814 (tcp) failed: Connection refused
nc: connect to localhost port 1815 (tcp) failed: Connection refused

Any help on this? Thanks!

p.s. I am already on the current beta of smeserver 8 and still having the same issues.

[HACKERSOFT2011]

radiusd is verified to be working using NTRadPing test tool but results with the following:

response: Access-Reject

for any user. Is there any guide around so it will accept connection from authenticating users?

Any radius geek out there... help is appreciated! Thanks!

[CharlieBrady]

Any radius geek out there... help is appreciated! Thanks!

I'd suggest that you look for those on a radius forum/website/mailing list.