Hello Thomas, Your configuration should be fine. radpwtst does not support PEAP. You can use for example eapol_test that is part of wpa_supplicant to test PEAP/EAP-TTLS authentication from command line.
MSHCAPv2 requires that user password is available in cleartext or NT-HASH format. So for example this entry in users file should work: mikem User-Password="fred" Can you test with eapol_test or with real device with Netgear AP? Best Regards, Sami On 03/06/2015 07:46 PM, Thomas Kurian wrote: > Dear Heikki, > Thanks for your support and guidance. > I have modified my radius.cfg as advised in your following email , but > still Access-Request results as No-Reply. Please note that I have used > the same EAP certificates from the (goodies->certificates) folder . > > I tried the following radpwtst : > > 1. radpwtst -s 192.168.0.217 -secret xxxxx -trace 4 -auth_port 1812 > 2. radpwtst -s 192.168.0.217 -secret xxxxx -trace 4 -auth_port 1812 > -user mikem -password fred > 3. radpwtst -s 192.168.0.217 -secret xxxxx -trace 4 -auth_port 1812 > -user User -password clientPass > > Please advise the specific 'user and password' format to be defined in > the users file to the tested for authentication using radpwtst for our > radius.cfg . Please also advise the recommended radpwtst to be performed > as the above mentioned is still providing No-Reply to the Access-Request. > > There is network connectivity between our radiator and Netgear AP > (ping). Kindly check my following configuration and advise on how to > proceed. > > #Foreground > #LogStdout > > AcctPort 1813 > AuthPort 1812 > > LogDir /var/log/radius > DbDir /etc/radiator > DictionaryFile /etc/radiator/dictionary > > Trace 4 > > <Client DEFAULT> > Secret xxxxx > DupInterval 0 > </Client> > > # Our Netgear AP for testing > <Client 192.168.0.217> > Secret xxxxx > DupInterval 0 > </Client> > > <AuthLog FILE> > Identifier myauthlogger > Filename %L/authlog > LogSuccess 1 > LogFailure 1 > </AuthLog> > > <Handler Request-Type="Access-Request",TunnelledByPEAP=1> > Identifier EAP-MSCHAP-V2 > <AuthBy FILE> > Filename /etc/radiator/users > > # This tells the PEAP client what types of inner EAP requests > # we will honour > EAPType MSCHAP-V2 > </AuthBy> > > # Log authentication success and failure to the a file > AuthLog myauthlogger > > # PostAuthHook > file:"/root/Desktop/Radiator-Locked-4.14/goodies/eap_anon_hook.pl" > </Handler> > > <Handler Request-Type="Access-Request"> > Identifier EAP-PEAP > <AuthBy FILE> > Filename %D/users > > EAPType PEAP > EAPTLS_CAFile %D/certificates/demoCA/cacert.pem > EAPTLS_CertificateFile %D/certificates/cert-srv.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > > EAPTLS_PEAPVersion 0 > > </AuthBy> > > AuthLog myauthlogger > > #PreProcessingHook > file:"/root/Desktop/Radiator-Locked-4.14/goodies/eap_anon_hook.pl" > AcctLogFileName /etc/radiator/detail > </Handler> > > > > > Best Regards, > > Thomas Kurian > Information Security Engineer,Pre-Sales. > Kuwaiti Canadian Consulting Group (www.kccg.com) > T: +965 22435566 > F: +965 22415149 > E: tho...@kccg.com > > > > > Subject: radiator Digest, Vol 70, Issue 3 > Date: Mon, 02 Mar 2015 12:00:01 -0600 > From: radiator-requ...@open.com.au > Reply-To: radiator@open.com.au > To: radiator@open.com.au > > > > > Message: 2 > Date: Mon, 02 Mar 2015 17:23:00 +0200 > From: Heikki Vatiainen <h...@open.com.au> > Subject: Re: [RADIATOR] User Auth settings: Netgear AP + Radiator > To: radiator@open.com.au > Message-ID: <54f48054.6070...@open.com.au> > Content-Type: text/plain; charset=windows-1252 > > On 02/28/2015 12:11 PM, Thomas Kurian wrote: > >> We want to make our wifi users connecting via Netgear wnr2000v3 wireless >> router, to authenticate using radiator RADIUS server (172.16.0.205). >> Please let me know what more need to be done further to our following >> radius.cfg & default users file in order to ensure our wifi users get >> forced to authenticate with our radiator server. > > Please see goodies/eap_peap.cfg for PEAP example. PEAP is one of the > protocols WPA/WPA2 Enterprise uses. > >> Also please advise if it is radiator's /var/log/radius/logfile the only >> place to test & check if the authentication is happening, once the user >> connects via the router using the credentials mentioned in radiator's >> user file? > > You can configure <AuthLog ...>, for example, AuthLog FILE to log > authentication success and failure events. See goodies/authlog.cfg for > an example. > > The Radiator logfile is useful for debugging and monitoring for errors, > but AuthLog logs just authentication events. > > Thanks, > Heikki > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > > > ------------------------------ > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > > End of radiator Digest, Vol 70, Issue 3 > *************************************** > > > > > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Sami Keski-Kasari <sam...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
