Powered by Jitbit .Net Forum free trial version. dismiss

recent posts recent posts - RSS

6 days ago
Topic:
Looking for old version 3.8

Lance
Lance
Posts: 1
Hello TekRADIUS community,


I am recently turning an old PC into a backup RADIUS server. This PC is stuck with .NET 2.0.50727, but TekRADIUS 3.8 can work with it and has Next-Group check attribute I would also use.

Having contacted Yasin he has advised me to ask in the forums. So if anyone has the 3.8 zip or installer somewhere, please let me know.

Thanks in advance!
13 days ago
Topic:
Stopped working, possibly adding certificate

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Stopped working, possibly adding certificate
You welcome
13 days ago
Topic:
Stopped working, possibly adding certificate

slebbon
slebbon
Posts: 11
I just wanted to close the loop in the public forums, since the solution was taken offline and provided so helpful.

Ultimately you suggested exporting and re-importing the certificate, and that was spot-on. Upon exporting I got prompted for CNG storage access authorization, and determined the key request had been created as CNG rather than “Legacy” CryptoAPI key request, and thus was stored in newer CNG in Windows. Exporting and importing to standard (older) method of key storage (which doesn’t prompt user for key access/usage authorization) has allowed TekRADIUS now to work without issue with the GoDaddy Key.


Thank you so very much for your efforts in examining this issue with me, it was very strange to me why these errors were occurring, but always there is a good explanation if we can just find it!


Also very impressed with your feedback that you are starting to support CNGKeys and that you are obviously keeping this product well up to date and maintained. Since you replied today:
"TekRADIUS supports CNGKeys but it seems that additional permissions are needed to access them. We are adding additional diagnostic output for CNG key operations in TekRADIUS."

Again, thank you for all your help; I wanted to make sure this got posted for anyone else that may run into a similar issue.
13 days ago
Topic:
Authenticating by login-pass AND MAC-address

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Authenticating by login-pass AND MAC-address
You accomplish complex scenarios using TekRADIUS External-Executable attribute. External-Executable allows you to execute your own authentication and authorization logic. A typical external executable is VBScript which accepts received attributes in an authentication as command line parameters. You can pass authorization attributes to TekRADIUS by echoing them as console output. Please see External-Executable section in TekRADIUS Manual for more details.
14 days ago
Topic:
Authenticating by login-pass AND MAC-address

Andrey
Andrey
Posts: 3
Yes, it's possible, but it does not help us here. Perhaps I failed to explain the task properly.
We don't need to "establish relationship" between certain users and devices. The concept is different:

There are users, as a separate type of entity.
Each user has some kind of permissions assigned, depending on a group membership.


There are devices, again, as a separate type of entity. They are categorized by types, and have nothing to do with users whatsoever.
Each device is identified by it's MAC, and depending on the device type AND user group membership this client is assigned to a dedicated VLAN for this type with specified ACL assigned. To give you an example, let't simplify it to 2 types: "laptops" and "phones".

Let's say, for a regular employee "laptops" are allowed to access only a specific list of internal network resources as well as internet, but "phones" are allowed internet access only. There are VLAN01 and VLAN02 for that. Certainly, what kind of permissions for each of internal network resources the "laptop" user would be able to use is, in this case, determined by this user group membership. And, of course, this employee would not be able to use his/her permissions for internal resources via his/her "phone", since there are no access to them in the first place, only internet connection is allowed.

However, if a user, for instance, is a member of IT department, this "laptop" should be assigned to a different VLAN (VLAN03), with wider access across the network. And that goes for this person's "phone" as well, his/her "phone" should also be assigned to VLAN03.
Then, let's say, his/her "phone's" battery died, and he/she borrowed a "phone" from a regular employee mentioned above, and authenticated with his/her login. In this case the "phone" should also be assigned to VLAN03, not VLAN02.

The system is actually more complex than this. This is just for the sake of given a simple, easily understandable example.

So, we have 2 separate entities in form of users and devices, but only a combined criteria of user group membership and device type determine which VLAN this client would be assigned, and, consequently, by applying ACLs, what would be accessable there.


That's what we are trying to implement. As you can see, setting multiple values to msNPCallingStationID does not help here at all.
14 days ago
Topic:
Authenticating by login-pass AND MAC-address

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Authenticating by login-pass AND MAC-address
You can enter multiple values to attribute named msNPCallingStationID through Attribute Editor tab.
14 days ago
Topic:
Authenticating by login-pass AND MAC-address

Andrey
Andrey
Posts: 3
Thank you for your reply.

Unfortunately, using Caller-ID attribute is not an option for us, because almost every employee uses several devices (usually at least two), and Caller-ID only allows for only one MAC-address. That's why we came up with this complicated idea of creating AD user accounts representing devices (which I described if full detail in my previous post) in the first place.
So, the question still stands.

Also, I should probably clarify:
We certainly understand that what we are asking about is a highly customised scenario, and it is not going to be in TekRADIUS as a fully implemented feature. However, if there is a possibility, for example, make a connection request handler to run a script, passing MAC-address to it, and then to pick up the result (TRUE or FALSE) and use it as a parameter for allowing/denying connection (and if allowing - determing to which VLAN the client would be assigned to), that would be fantastic.

Additionally, I should mention that this task does not have to be solved the way we came up with. If there is something else in TekRADIUS functionality that can help us with it in another way, we are definitely open to it. The conditions are 1) information must be stored in AD, 2) users and devices "relationships" are many-to-many, i.e. each user uses several devices (of different types, with different access level), and each device may be used by many users (again, with different permissions).

So, if there is something that may help us, we would really appreciate it.
Thank you very much.
14 days ago
Topic:
Authenticating by login-pass AND MAC-address

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Authenticating by login-pass AND MAC-address
Please make sure that you have the latest built installed (5.5.0.6).
14 days ago
Topic:
Authenticating by login-pass AND MAC-address

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Authenticating by login-pass AND MAC-address
TekRADIUS can verify user MAC address, when you specify MAC address in Active Directory user properties dial-in section, Verify Caller-ID parameter. MAC address can be entered AA:BB:CC:11:22:33, AA-BB-CC-11-22-33 or AABBCC112233 format.



This feature requires a commercial license.
15 days ago
Topic:
Authenticating by login-pass AND MAC-address

Andrey
Andrey
Posts: 3
Hello TekRADIUS support,

We have a certain task that requires clients to be authenticated by login-password and device's MAC-address as well, and depending on group membership for the user and device accounts client should be put into certain VLAN. We went through available documentation for TekRADIUS, but were not able to get a clear answer if it is possible to implement with TekRADIUS, and if it is - how to do it. So, we're asking this here.

Here are the details:

Basically, what we need is that each client connection should be identified by both user-pass and MAC-address. The idea is that each user - according to his/her group membership in AD and depending on the device he/she is using - would be assigned to a certain VLAN with specified ACL.

Our company's policy requires all user accounts as well as devices' MACs info should be kept in AD. So, regular AD user accounts are used for users, nothing unusual there.
For the devices, though, we cannot use computer accounts (at least, not in a simple manner), because what we need is to store MAC-address. Moreover, there are many company's devices that cannot become a AD domain members, such as MacOS and Android devices, and also all kinds of special equipment.

So, we created additional user accounts, that have MAC-addresses of our devices as their logon names, and these accounts are groupped according to their access pattern. We can get device's MAC-address from the authentication request (from CallingStationID attribute).

Now, what we hope to do is to implement a procedure where MAC is taken from CallingStationID attribute and then used as a username to check if this user is a member of a certain group in Active Directory. There is no need to login as such user per se, we just need to check whether the user is a member of a certain group, and then combine it with information about group membership of an actual user's account, which would determine the VLAN for this connection.


So, our question is the following:
Is it possible to implement what is described above using TekRADIUS? And if it is possible, is there any tricks in such implementation we should know about?

Thanks a lot in advance.
16 days ago
Topic:
Stopped working, possibly adding certificate

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Stopped working, possibly adding certificate
Can you also send full session log to yasin.kaplan@kaplansoft.com?
16 days ago
Topic:
Stopped working, possibly adding certificate

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Stopped working, possibly adding certificate
How have you generated certificate signing request?
17 days ago
Topic:
Stopped working, possibly adding certificate

slebbon
slebbon
Posts: 11
I re-installed the free TekCert and generated another temporary sha1 certificate, the wireless Self-test now passes as it did before. I don't have anyone onsite any longer today to test, but I would assume it will work again for Windows PCs as it did last week, but will prompt with the untrusted certificate warning.

So that goes to the Godaddy certificate....is there something 'missing' from it? I'm not sure what else from them I could have done differently. It's valid and trusted in windows with the private key available, expires in 2 years and the cert trust chain is "ok" again according to windows.
17 days ago
Topic:
Stopped working, possibly adding certificate

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Stopped working, possibly adding certificate
Can you try with TekCERT generated certificate again?
17 days ago
Topic:
Stopped working, possibly adding certificate

slebbon
slebbon
Posts: 11
LT v5.5. Logging is set to Developer.
17 days ago
Topic:
Stopped working, possibly adding certificate

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Stopped working, possibly adding certificate
Which version of TekRADIUS do you use? What is you logging level Debug or Developer?
17 days ago
Topic:
Stopped working, possibly adding certificate

slebbon
slebbon
Posts: 11
Here's a packet capture of the test session (different time than the logs, but same result).

I didn't get details on windows client error, other than report from site that "the laptops can't connect to wireless".
On the vendor's device 'test radius' page there is no error reported, I did get in the past authentication failures when the username/password didn't exist, but now it's not returning anything useful beyond "test failed".
edited by Admin on 5.02.2019
17 days ago
Topic:
Stopped working, possibly adding certificate

Admin
Admin
Administrator
Posts: 4869
Admin
Admin
Administrator
Posts: 4869
Topic: Stopped working, possibly adding certificate
It should be a certificate issue since it seems that TLS session is established. Is there any error message displayed in client side? A Wireshark trace for an authentication attempt would be very useful to understand the cause of the problem.
17 days ago
Topic:
Stopped working, possibly adding certificate

slebbon
slebbon
Posts: 11
I had TekRadius (commercial version) working with our wireless authentication against AD for 1 day using a self-signed 'test' certificate i generated in TekCert. I then changed the certificate to a public one issued to our TekRadius server from Godaddy. Since restarting TekRadius with that Cert I don't think it has been working. When I do a radius test now from our AP tool, it 'fails' even with a simple local TekRadius account. The end of the debug log looks like this:


01.02.2019 11:03:12.512 - Authentication query for user 'test'; SELECT Attribute, Val from Users where UserName = 'test' and AttrType = 0

01.02.2019 11:03:12.512 - EAP-PEAP Authentication commencing for user 'test' [2 (4)]

01.02.2019 11:03:12.512 - PEAP Challenge sent for user 'test' [3 (4), af1f9ed7c961f0b2c4d25d15f74e285d].

01.02.2019 11:03:12.574 - MultipleHandshakeSize = 0 [False]

Master Secret 256 byte(s)

[000] 45 8D 59 9D DA BB 71 4C 86 0E CF 64 CF 5B 47 4C E.Y...qL ...d.[GL
[010] 9F 57 CA 31 D1 6B 06 43 2B D0 74 8B D0 9A E5 49 .W.1.k.C +.t....I
[020] B1 C7 7D 55 59 05 87 D7 6A 1A DC BD 58 46 32 20 ..}UY... j...XF2
[030] DE BC D1 4B 8B 81 DB 30 E4 5B B0 31 E7 A1 C8 AD ...K...0 .[.1....
[040] 62 D6 39 CB B6 75 C5 60 64 47 FD F5 2D 4A 3A 29 b.9..u.` dG..-Jsmile
[050] 49 4B 08 00 8F 42 7C 10 AB 92 F5 24 7A 38 B5 AE IK...B|. ...$z8..
[060] 99 14 54 DE B5 5B DA 0E B6 2B 4F 14 EC C9 2E 94 ..T..[.. .+O.....
[070] CD C7 23 56 C0 DD 68 64 A5 8B 46 8D D7 BC 42 41 ..#V..hd ..F...BA
[080] 0A F4 4C D3 5B C5 7F 83 69 A8 8D 5A 8A 05 F1 79 ..L.[... i..Z...y
[090] 7A 43 80 1D A3 64 C3 6C C5 61 D1 13 DA 88 05 08 zC...d.l .a......
[0A0] 6D A3 CE 24 4A 74 1A FE 4B 84 64 F4 CE A7 3E 4F m..$Jt.. K.d...>O
[0B0] 4E B1 4A F2 74 64 EB 79 7A 49 83 1D 98 D3 0D F2 N.J.td.y zI......
[0C0] 83 08 72 EB 44 8D 3A 24 A3 24 8E DF E6 B2 98 2E ..r.D.:$ .$......
[0D0] CD F3 C6 3C D4 0C CE F8 30 43 D1 77 18 04 2E 89 ...<.... 0C.w....
[0E0] 8B 19 C9 42 19 22 03 1B 1D 24 B3 7F 40 84 0A 2A ...B.".. .$..@..*
[0F0] 70 39 97 F8 E9 42 A2 BD 97 10 55 D8 BC 14 97 5C p9...B.. ..U....\

Client Finished 48 byte(s)

[000] AB 81 99 20 26 A1 F6 51 9A 7B 73 A8 84 F1 5B A3 ... &..Q .{s...[.
[010] 9A EF 9C 94 A8 57 71 C1 26 7E 46 DD 61 56 24 92 .....Wq. &~F.aV$.
[020] 17 13 E5 78 B9 53 50 37 48 63 16 B9 2C 67 FE 82 ...x.SP7 Hc..,g..

01.02.2019 11:03:12.574 - PEAP Response received.

01.02.2019 11:03:12.574 - RadAuth req. from : 10.201.10.61:53726 [UDP]

Size : 503 / 503
Identifier : 5
Attributes :

Framed-MTU = 1400
State = af1f9ed7c961f0b2c4d25d15f74e285d
NAS-Port-Type = 19
Called-Station-Id = AC-17-C8-10-15-DD:SSID
Connect-Info = CONNECT 11Mbps 802.11b
Calling-Station-Id = 00-00-00-00-00-02
NAS-IP-Address = 6.16.21.221
User-Name = test

01.02.2019 11:03:12.574 - Authentication query for user 'test'; SELECT Attribute, Val from Users where UserName = 'test' and AttrType = 0

01.02.2019 11:03:12.574 - EAP-PEAP Authentication commencing for user 'test' [3 (5)]

01.02.2019 11:03:44.798 - Debug Message (Timer) Session timer expired for the session 'af1f9ed7c961f0b2c4d25d15f74e285d'

01.02.2019 11:03:44.798 - Debug Message (Timer) Session timer expired for the session '6af460f2d980af117c2378d49f09a658'



The log just ends there and authentication on the AP test 'fails' without much detail.

What could be the problem?
27 days ago
Topic:
Manager freeze on Server 2012 R2

slebbon
slebbon
Posts: 11
I don't know what else to say, it certainly works fine now, only change was to uninstall NPS role. Same admin account, everything, it was the only thing I changed between attempts. Try adding NPS role from add/remove server features on your test Win 2016 server and confirm? At any rate I'm happy now I am able to finally test the software and see if it will work for our needs.




Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software