Koozali.org: home of the SME Server

radius

frank3427

radius
« on: February 17, 2006, 04:30:58 AM »
I would like to know if anyone is using the radius server on SME7?

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
Re: radius
« Reply #1 on: February 17, 2006, 08:06:59 AM »
Quote from: "frank3427"
I would like to know if anyone is using the radius server on SME7?

It is being used for PPTP authentication.
............

Offline william_syd

  • *****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
radius
« Reply #2 on: February 19, 2006, 02:01:14 AM »
Can it be used outside of SME7 ?

Say to authenticate users for Openfiler ?
Regards,
William

IF I give advise.. It's only if it was me....

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
radius
« Reply #3 on: February 19, 2006, 11:54:08 PM »
Quote from: "william_syd"
Can it be used outside of SME7 ?

Say to authenticate users for Openfiler ?

It's the freeradius package from CentOS. You'll need to work out the configuration magic required, and if we need to change the base configuration to help, please raise a bug. Thanks.
............

Offline slords

  • *****
  • 235
  • +3/-0
radius
« Reply #4 on: February 21, 2006, 03:18:30 AM »
The framework is already in place for radius.  In order to use it please define the client host in hostnames and addresses.

Once you have done this then you need to define the shared radius key for that host.  You can do this with the following command:

db hosts setprop {full hostname} RadiusKey {random string of characters}
signal-event remoteaccess-update

ex.

db hosts setprop wireless.mydomain.com RadiusKey abcdefg123456789
signal-event remoteaccess-update

After this I'd go to the device defined by wireless.mydomain.com and point to the internal interface ip for the server and enter the same key.

I've successfully implemented 802.1x (WPA) for many different access points this way.  Auth parameters are for PEAP-MSCHAP2.  Any defined user with a valid password should be allowed to authenticate.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs,
and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." -- Rich Cook

pepe

radius
« Reply #5 on: February 27, 2006, 10:59:20 AM »
Quote from: "slords"
The framework is already in place for radius.  In order to use it please define the client host in hostnames and addresses.

Eh.. could you be more specific, please ? Where do we find this ?
Tnx.[/quote]

Offline william_syd

  • *****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
radius
« Reply #6 on: February 27, 2006, 02:45:56 PM »
Quote from: "pepe"
Where do we find this ?
Tnx.
[/quote]

In the server manager I would say.
Regards,
William

IF I give advise.. It's only if it was me....

dean-za

radius
« Reply #7 on: March 23, 2006, 09:54:08 AM »
Shad

I tried what you said but I cant see the radiusd server is even running. If I netstat -an | grep tcp I do not seee any service running on port 1812 or 1813. A nmap scan from a seperate machine yields the same results.  I even tried this

config set radiusd service access public status enabled TCPPorts 1812,1813
signal-event remoteaccess-update

the radius.conf file says to bind to * and port = 0 which should mean that it uses all interfaces and read the port numbers from /etc/sevices. All of this seems correct and yet no service running. Any ideas on where to look ?

Thanks
Dean

Offline JonB

  • *
  • 351
  • +0/-0
radius
« Reply #8 on: March 23, 2006, 10:33:03 AM »
dean-za

Code: [Select]
config set radiusd service access public status enabled TCPPorts 1812,1813

SME7 does not yet implement opening multiple comma seperated ports using TCPPorts. You will need to open the ports individually using TCPPort.

This function and opening a range of ports TCPPort xxxx:xxxx will not be available till SME7.1.


Jon
...

tartjagger

radius
« Reply #9 on: March 23, 2006, 02:20:09 PM »
Quote from: "slords"


I've successfully implemented 802.1x (WPA) for many different access points this way.  Auth parameters are for PEAP-MSCHAP2.  Any defined user with a valid password should be allowed to authenticate.


I followed the instructions given and it worked a treat using WEP encryption. It was necessary to set the Access point authentication to 'open' which threw me for a while.

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
radius
« Reply #10 on: March 23, 2006, 03:02:53 PM »
What would the advantage be? I have Radius authenticating the MAC address access, but not the WPA keys. Do the keys get rotated from time to time?

dean-za

radius
« Reply #11 on: March 24, 2006, 02:25:10 PM »
but the service should still be available to the local network , how else can i check why i cant see any service running on those ports ?

Dean

Offline JonB

  • *
  • 351
  • +0/-0
radius
« Reply #12 on: March 24, 2006, 03:33:10 PM »
dean-za,

I think you will find that the firewall is not set to allow local access.

do

Code: [Select]
config setprop radiusd access private TCPPort 1812
config set radius-acct service status enabled access private TCPPort 1813
signal-event remoteaccess-update


Code: [Select]
iptables -L

should show the ports open.

Jon
...

brit-dub

radius
« Reply #13 on: April 26, 2006, 06:15:25 PM »
Hi all

I'm was looking to set up a freeradius server for use with http://www.locustworld.com/ but after reading this on the forum I'm given the idea I might be able to use sme server 7, or can I ?

or am I barking up the wrong tree ? any advice would me most welcome.

Just one other thing does the dialupadmin web interface work ? or can it be got working ?

TIA  

Brit

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
radius
« Reply #14 on: July 25, 2007, 07:02:38 PM »
Quote from: "slords"
The framework is already in place for radius.  In order to use it please define the client host in hostnames and addresses.

Once you have done this then you need to define the shared radius key for that host.  You can do this with the following command:

db hosts setprop {full hostname} RadiusKey {random string of characters}
signal-event remoteaccess-update

ex.

db hosts setprop wireless.mydomain.com RadiusKey abcdefg123456789
signal-event remoteaccess-update

After this I'd go to the device defined by wireless.mydomain.com and point to the internal interface ip for the server and enter the same key.

I've successfully implemented 802.1x (WPA) for many different access points this way.  Auth parameters are for PEAP-MSCHAP2.  Any defined user with a valid password should be allowed to authenticate.


This example shows how to add a client to the database and eventually to the /etc/raddb/clients.conf
Now how are you implementing the rest, such as users and MAC?

Thanks,

Offline brick

  • ****
  • 78
  • +0/-0
radius
« Reply #15 on: August 12, 2007, 01:59:12 AM »
OK, I'm also trying to get a grip on the radius server.
I have set a DHCP server besides the SME where it it reads from a radius server (SME). I used the commands above and set the NAS and it works. But it doesn't accept my client:
Code: [Select]
rad_recv: Access-Request packet from host 172.16.0.2:32771, id=113, length=110
        NAS-Port-Type = Ethernet
        NAS-Port = 2210398321
        Calling-Station-Id = "1:0:3:93:9a:33:2"
        Called-Station-Id = "dhcp"
        User-Name = "00:03:93:9A:33:02"
        User-Password = ""
        NAS-Identifier = "Talles"
        NAS-IP-Address = 172.16.0.2
rad_recv: Access-Request packet from host 172.16.0.2:32771, id=113, length=110
Sending Access-Reject of id 113 to 172.16.0.2:32771

Here I have set the MAC (00:03:93:9A:33:02) and IP on the Hostnames and Addresses of the SME.
I supposed the Radius would pass the information to my DHCP server based on what I have set in the Hostnames and Addresses Panel. Am I wrong?

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
radius
« Reply #16 on: August 12, 2007, 04:19:02 PM »
Ahhh how I wish  :wink:
I don't think the hostnames and addresses write to radius, you can in fact turn the radius off. It writes an entry for the DHCP and DNS.
Correct me here if I am wrong, but you can only use the radius server as the PEAP-MSCHAP2 parameter against the username/address on the SME Server.

Offline HACKERSOFT2011

  • **
  • 31
  • +0/-0
  • HACKERSOFT
    • Adventist International Mission School
Re: radius
« Reply #17 on: January 10, 2012, 06:06:09 AM »
Any update on this?

It seems that port 1812 and 1813 are closed. How to open it? Or, what is the port used by radiusd on smeserver?

I tried telnet to smeserver on port 1812 but it says:

Connecting To 192.168.1.9...Could not open connection to the host, on port 1812: Connect failed

telnet to other ports are okay, e.g. 80...

I also did:
nc -v -w 1 localhost -z 1810-1815

with the following results
nc: connect to localhost port 1810 (tcp) failed: Connection refused
nc: connect to localhost port 1811 (tcp) failed: Connection refused
nc: connect to localhost port 1812 (tcp) failed: Connection refused
nc: connect to localhost port 1813 (tcp) failed: Connection refused
nc: connect to localhost port 1814 (tcp) failed: Connection refused
nc: connect to localhost port 1815 (tcp) failed: Connection refused

Any help on this? Thanks!

p.s. I am already on the current beta of smeserver 8 and still having the same issues.
« Last Edit: January 10, 2012, 06:17:25 AM by HACKERSOFT2011 »

Offline HACKERSOFT2011

  • **
  • 31
  • +0/-0
  • HACKERSOFT
    • Adventist International Mission School
Re: radius
« Reply #18 on: January 11, 2012, 06:09:58 PM »
radiusd is verified to be working using NTRadPing test tool but results with the following:

response: Access-Reject

for any user. Is there any guide around so it will accept connection from authenticating users?

Any radius geek out there... help is appreciated! Thanks!

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: radius
« Reply #19 on: January 12, 2012, 04:00:45 AM »
Any radius geek out there... help is appreciated! Thanks!

I'd suggest that you look for those on a radius forum/website/mailing list.