Powered by Jitbit .Net Forum free trial version. dismiss

recent posts recent posts - RSS

5 days ago
Topic:
Using other request attribute as username

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: Using other request attribute as username
Hi,

Please apply update at https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip (or https://www.kaplansoft.com/tekradius/release/TekRADIUSLT-Update.zip if you have installed TekRADIUS LT) and try with

Select Attribute, Val from Users where UserName=iif('%ericsson-ab|97%' != '', '%ericsson-ab|97%', '%ietf|1%') and AttrType=0


again.


Best regards,


Yasin KAPLAN
5 days ago
Topic:
Using other request attribute as username

teedee
teedee
Posts: 1
Hi Yasin,

we'd like to authenticate a user based on the port he's coming from instead of his actual MAC address.
(DHCP Option 82 using the Agent-Circuit-Id)

Is it possible to rewrite or change request attributes (especially the username = ietf|1) during authentication?

The MikroTik equipment we are using does always send the MAC address as username (which is fine in general)
but in our case in addition the attribute Agent-Circuit-ID (they use Vendor redback, Attribute-ID 97):

User-Name = 64:d1:54:99:18:0d
NAS-IP-Address = 192.168.1.2
Agent-Circuit-Id = p2-as-02 eth 0/22:100

We tried something like...

Select Attribute, Val from Users where UserName=iif('%redback|97%' != '', '%redback|97%', '%ietf|1%') and AttrType=0

...as custom authentication query.

Using SQL Profiler we noticed that TekRADIUS doesn't seem to parse the Vendor attribute in the query.
Also TekRADIUS fires a couple of other queries that contain the original username (MAC).

Do you have any hints for us if or how we can accomplish this?

Thanks and kind regards,
Teedee.


PS: 2352/redback seems to be renamed ericsson-ab by now - tried that as well...
12.02.2020
Topic:
iPSK configuration

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: iPSK configuration
You welcome
12.02.2020
Topic:
iPSK configuration

ag66
ag66
Posts: 4
ag66
ag66
Posts: 4
Topic: iPSK configuration
Thanks a lot. I can confirm that it is working exactly as expected.
12.02.2020
Topic:
iPSK configuration

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: iPSK configuration
You can have a Default user profile in TekRADIUS. Just create a user profile named Default in Users tab and add Tunnel-Password value as a Success-Reply attribute.
12.02.2020
Topic:
iPSK configuration

ag66
ag66
Posts: 4
ag66
ag66
Posts: 4
Topic: iPSK configuration
Thanks a lot. The capture helped me get the issue sorted out. So iPSK is working now fine for users (MAC addresses) in the database.

One final question, for users not in the database I want to allow connections (Auth-Type Accept) as long as the PSK is correct. To do this in iPSK you send a Success reply by default along with the Success-Reply attribute Tunnel-Password. Is there a way to configure this in TEK? Some RADIUS severs allow a DEFAULT user entry

Andres
12.02.2020
Topic:
iPSK configuration

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: iPSK configuration
Hi,

I recommend you to get a Wireshark trace on TekRADIUS installed machine to see RADIUS access request packets arrive to TekRADIUS. Please also set Logging = Debug at Settings / Service Parameters in TekRADIUS Manager and check log file which is accessible through file menu of TekRADIUS Manager.

Best regards,

Yasin KAPLAN
11.02.2020
Topic:
iPSK configuration

ag66
ag66
Posts: 4
ag66
ag66
Posts: 4
Topic: iPSK configuration
Hi Yasin, I did try to add Tunnel-Password value as a Success-Reply attribute, and as Check attribute. Netiher of them worked. When I added them I saw on a packet capture that the AP sends the RADIUS access-request 3 times to the server but the server doesn't reply.

For an SSID that is open and uses only MAC address validation, TekRADIUS is already working perectly. Any logs that might be helpful to troubleshoot the issue?

Thanks

Andres
11.02.2020
Topic:
iPSK configuration

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: iPSK configuration
Hi,

You must add Tunnel-Password as a Success-Reply attribute on a Check attribute to the user or group profile for IPSK.

Best regards,

Yasin KAPLAN
11.02.2020
Topic:
iPSK configuration

ag66
ag66
Posts: 4
ag66
ag66
Posts: 4
Topic: iPSK configuration
Is it possible to use TekRADIUS for iPSK WiFi authentication?
On systems like FreeRADIUS or ISE you add the check attribute Tunnel-Password to the user (username is MAC address), but i seems in TEK this isn't enough

Thanks
12.12.2019
Topic:
Unable to query Accounting Table

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: Unable to query Accounting Table
Hi,

Please download and install the latest built at https://www.kaplansoft.com/tekradius/release/TekRADIUSLT.zip which is updated today.

Please quit TekRADIUS Manager, edit C:\Program Files (x86)\TekRADIUS LT\TekRADIUSLT.ini and set SaveAcct=1. Re-start TekRADIUS service after editing.

You need to have mappings for vendor specific attributes in TekRADIUS Manager / Accounting Table tab if you would like to process vendor specific attributes. You need to add new fields for these VSAs. You can create new fields while adding new mappings. Please see TekRADIUS Manual at https://www.kaplansoft.com/tekradius/Docs/Manual.pdf

Best regards,

Yasin KAPLAN
12.12.2019
Topic:
Unable to query Accounting Table

fowler9
fowler9
Posts: 1
We are using TekRadiusLT for Accounting only. I've imported the dictionary from the vendor involved and can see in the TekRadius logs I get the information I'm looking for:



12.12.2019 09:41:28.174 - RadAcct req. from : 10.101.10.22:52481 [UDP]

Size : 392 / 392
Identifier : 248
Attributes :

NET-Calling-Number = +44*******
NET-Called-Number = +44*******
Acct-Status-Type = Start
Acct-Multi-Session-Id = 15761436882187
NAS-IP-Address = 10.***.**.**
Acct-Session-Id = 15761436882187|15716404480000004560


and also receive the Status-Type = Stop when the call has finished (used for Telephony Accounting logging)

However, it doesn't look to be saving that data as I'm unable to see any data either when doing a SQL query or doing a query from the Reporting tab. It says the query is completed but there's no data to view.

Interestingly, when I start the TekRadius service I get:

12.12.2019 09:45:43.545 - Accounting packets will not be recorded.


Is there a button to be clicked to turn this on? If so, I can't find it.

Any assistance would be appreciated.
Regards
6.12.2019
Topic:
[TekRadius] Authentication issue wifi client

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: [TekRadius] Authentication issue wifi client
Hi,

"No User-Name found in access request, using 'Default'." warning is related with RadStat request from 10.1.1.129. You can safely ignore it. Can you send me a Wireshark trace for this EAP-TLS authentication attempt form TekRADIUS installed machine?

Best regards,

Yasin KAPLAN
6.12.2019
Topic:
[TekRadius] Authentication issue wifi client

Glork_78
Glork_78
Posts: 7
Hi Team,

I am moving TekRadius to another windows server, and I reconfigured it with the same parameters as before. I can't explain but wifi users can't authenticate to this new machine (using EAP authentication method). I have a " No user with username "default" could be found in the domain" message appearing quite often on the logs.

I have attached more logs to this.

Looking forward to hearing from you.
Glork_78
6.12.2019
Topic:
[TekRadius] Authentication issue wifi client

Glork_78
Glork_78
Posts: 7
Hi Team,

I am moving my Tekradius to another windows server and I am using the same parameters as before. I can explain why but I can't authenticate WiFi client with EAP authentication method to this new radius. I have this errors " No user with username 'default' could be found in the domain" appears quite often on the logs.

Please find attached detailed logs.

I am looking forward to hearing from you.

Thanks,
Glork_78
13.10.2019
Topic:
TekRadius LT edition - Cannot authenticate PEAP

Admin
Admin
Administrator
Posts: 4938
Hi,

PEAP and EAP-TTLS authentication methods requires a server certificate. This is basically a certificate created for "Server Authentication" purpose. TekRADIUS looks for a suitable certificate in Windows Certificate Store / Local Machine / Personal folder for such a certificate. You can create a certificate for Server Authentication using TekCERT. You can add TLS-Server-Certificate attribute as a check attribute to Default user profile or individual user profile. You can also specify server certificate in Settings / Service Parameters if you have a commercial license.
13.10.2019
Topic:
TekRadius LT edition - Cannot authenticate PEAP

adnan101
adnan101
Posts: 1
Dear Experts,

I have used TekRadius previously for some lab testing like couple of months ago or maybe years (not sure the exact time) but the same setup worked flawlessly.

I need to authenticate users via username/password from aruba access point. I did it before and demoed to customers also. Now when i am using the latest version (downloaded yesterday) i cannot authenticate using the same setup. Its giving me this error "PEAP/EAP-TTLS Authentication failed. A valid certificate could not be found for user "xxxx"

I never installed any certs on the clients (i am using android phone) but tried using win 10 laptop, issue remains the same. In LT version i dont know where to upload the radius certificate also.

Anybody has any idea what i might be doing wrong, its supposed to work out of the box as it did before, perhaps something was changed in this version?
5.10.2019
Topic:
Database in "Recovery Pending"

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: Database in "Recovery Pending"
You can execute following statement if you observe "Recovery Pending" status for your TekRADIUS database;

ALTER DATABASE [TekRADIUS] SET SINGLE_USER WITH NO_WAIT
ALTER DATABASE [TekRADIUS] SET EMERGENCY;
DBCC checkdb ([TekRADIUS], REPAIR_ALLOW_DATA_LOSS )
ALTER DATABASE [TekRADIUS] SET online;
ALTER DATABASE [TekRADIUS] SET Multi_USER WITH NO_WAIT
1.10.2019
Topic:
Unidentified RADIUS request type (0)

Admin
Admin
Administrator
Posts: 4938
Admin
Admin
Administrator
Posts: 4938
Topic: Unidentified RADIUS request type (0)
Is it possible you to send a Wireshark trace for this RADIUS request?
1.10.2019
Topic:
Unidentified RADIUS request type (0)

rushd_jay
rushd_jay
Posts: 1
Hi,

Is there somebody who can help me with this problem? I am getting error on the logs

Invalid Auth. packet received from 10.164.35.207:64072 [UDP]; Unidentified RADIUS request type (0)




Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software