Powered by Jitbit .Net Forum free trial version. dismiss

recent posts recent posts - RSS

29 days ago
Topic:
TekRadius LT edition - Cannot authenticate PEAP

Admin
Admin
Administrator
Posts: 4931
Hi,

PEAP and EAP-TTLS authentication methods requires a server certificate. This is basically a certificate created for "Server Authentication" purpose. TekRADIUS looks for a suitable certificate in Windows Certificate Store / Local Machine / Personal folder for such a certificate. You can create a certificate for Server Authentication using TekCERT. You can add TLS-Server-Certificate attribute as a check attribute to Default user profile or individual user profile. You can also specify server certificate in Settings / Service Parameters if you have a commercial license.
29 days ago
Topic:
TekRadius LT edition - Cannot authenticate PEAP

adnan101
adnan101
Posts: 1
Dear Experts,

I have used TekRadius previously for some lab testing like couple of months ago or maybe years (not sure the exact time) but the same setup worked flawlessly.

I need to authenticate users via username/password from aruba access point. I did it before and demoed to customers also. Now when i am using the latest version (downloaded yesterday) i cannot authenticate using the same setup. Its giving me this error "PEAP/EAP-TTLS Authentication failed. A valid certificate could not be found for user "xxxx"

I never installed any certs on the clients (i am using android phone) but tried using win 10 laptop, issue remains the same. In LT version i dont know where to upload the radius certificate also.

Anybody has any idea what i might be doing wrong, its supposed to work out of the box as it did before, perhaps something was changed in this version?
5.10.2019
Topic:
Database in "Recovery Pending"

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Database in "Recovery Pending"
You can execute following statement if you observe "Recovery Pending" status for your TekRADIUS database;

ALTER DATABASE [TekRADIUS] SET SINGLE_USER WITH NO_WAIT
ALTER DATABASE [TekRADIUS] SET EMERGENCY;
DBCC checkdb ([TekRADIUS], REPAIR_ALLOW_DATA_LOSS )
ALTER DATABASE [TekRADIUS] SET online;
ALTER DATABASE [TekRADIUS] SET Multi_USER WITH NO_WAIT
1.10.2019
Topic:
Unidentified RADIUS request type (0)

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Unidentified RADIUS request type (0)
Is it possible you to send a Wireshark trace for this RADIUS request?
1.10.2019
Topic:
Unidentified RADIUS request type (0)

rushd_jay
rushd_jay
Posts: 1
Hi,

Is there somebody who can help me with this problem? I am getting error on the logs

Invalid Auth. packet received from 10.164.35.207:64072 [UDP]; Unidentified RADIUS request type (0)
27.09.2019
Topic:
Tekradius: Can't edit Server Certificate field

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Tekradius: Can't edit Server Certificate field
Hi,

Can you send me your system id displayed at help / about menu of TekRADIUS Manager? It seems that you need a new license key.

Best regards,

Yasin KAPLAN
27.09.2019
Topic:
Tekradius: Can't edit Server Certificate field

keppy
keppy
Posts: 2
Hello,
I have TekRadius Manager version 5.4 running and I need to update my officially signed certificate. The certificate has been imported into the Windows certificate store with the private key.

Under Settings -> Service Parameters, both the TLS Port and Server Certificate are grayed out. I have no ability to select any replacement certificate (there's an old self-signed one out there too).
I've tried stopping the service and restarting the UI, but this doesn't help.
Any suggestions?
5.09.2019
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Configuring two authentication method
Can you send TekRADIUS log entries for an EAP-TLS authentication attempt which should be failed with Require local certificate for EAP-TLS is option set to yasin.kaplan at kaplansoft.com? Please also send me TekRADIUS.ini file under C:\Program Files (x86)\TekRADIUS
5.09.2019
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hi,

No luck it's still not working.
When I applied the TekRADIUS-status attribute as disable on the default group to force TekRADIUS to use others group (otg / otg_test).
I cannot authenticate anymore:

Aruba-Location-Id = 011PWLAP002P002
Aruba-Essid-Name = VITEtest
Aruba-AP-Group = VITWiFi
NAS-IP-Address = 10.1.1.129
Calling-Station-Id = 285aeb95712f
Called-Station-Id = 3817c3c06418
Aruba-Device-Type = iPhone
NAS-Port = 0
NAS-Identifier = VITEtest
State = a0106dec890992030ee86db30f0f2b9b
Framed-MTU = 1100
NAS-Port-Type = 19
User-Name = @
Service-Type = 2

05.09.2019 09:55:41.096 - User account '@' is disabled (TekRADIUS-Status).
05.09.2019 09:55:41.096 - EAP-PEAP Authentication commencing for user '@' (Windows User) [5 (111)]
05.09.2019 09:55:41.096 - PEAPv0-MS-CHAP v2 failed for user '@', sending Access-Reject (Group: Default).
05.09.2019 09:55:41.096 - Authentication failed. User account '@' or group 'Default' is disabled
4.09.2019
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Configuring two authentication method
Here is another update; https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip Please try and let me know the result please.
4.09.2019
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hi

We applied the update and use the "Require local certificate for EAP-TLS" option but no luck it's still not working. I feel like the TekRADIUS take attributes from default user and group only. When we create custom user and group and apply attributes, it doesn't affect the authentication.

Thanks,
Glork
3.09.2019
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Configuring two authentication method
Please apply update at https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip

You will see a new parameter at Settings / Service Parameters / Require Local Certificate for EAP-TLS. Check it and save settings. This will force TekRADIUS to reject EAP-TLS authentication attempts if no user local profile with TLS-Client-Certificate found.
3.09.2019
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Configuring two authentication method
I'll update you in 12 hours.
3.09.2019
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Yes I have and it's working fine !
However a device without EAP-TLS as preferred EAP method (then without certificate issued by us) is able to connect on the Wi-Fi as well using PEAP, we don't want that. How can we configure it?

Logs for EAP-TLS authen - VIT-Access SSID


Logs for PEAP authen - VIT-Access SSID


Thanks,
2.09.2019
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Configuring two authentication method
Have you set EAP-TLS as preffered EAP method in clients where EAP-TLS will be used as authentication method as instructed at https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/905663/configuring-windows-10-wireless-profile-to-use-certificate ?
2.09.2019
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hi,

Thank for your quick reply.

Well, that's normal I want to prevent clients to connect on VIT-Access if they are using PEAP instead of EAP-TLS.
I confirm that EAP is configured as authentication method in the 'OTG' Group.

Thanks,
Glork
2.09.2019
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: Configuring two authentication method
Hi,

As far as I see from the log entries, client prefers PEAP in place of EAP-TLS. Can you confirm that if EAP-TLS is selected as EAP authentication method?

Best regards,

Yasin KAPLAN
2.09.2019
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hello,

We are trying to use TekRadius to authenticate Wifi users in my company with two different authentication method. SSID 'VIT-Access' using EAP-TLS (certificate) and VITEtest on PEAP (username /password).

Does anyone can tell me how to setup this with TekRadius?


I've created two users :
- VIT-Access in group 'OTG'
-Attributes: Aruba-AP-Group = VITWiFi; Aruba-Essid-Name = VIT-Access; TLS-Client-Certificate = Server_name; TLS-Server-Certificate = Server_name
- Group OTG attributes : Authentication-Method = EAP; Windows-Domain = company_domain

-VITEtest in group 'OTG_test'
- Attributes: Aruba-AP-Group = VITIWiFi; Aruba-Essid-Name = VITEtest
- Groups OTG_test attributes: Authentication-Method = Windows; Windows-domain = company domain

PEAP authen on VIT-Access:


EAP authen on either VIT-access and VITEtest:


Unfortunately this configuration doesn't work when I connect a device on either VIT-Access or VITEtest it always connects with PEAP authen method. If I apply an EAP method in default group either VIT-Access or VITEtest are not accessible for devices which doesnt have a certificate. I've attached logs details.



Thank you,
Glork,
27.08.2019
Topic:
msNPCallingStationID & msRADIUSFramedIPAddress

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: msNPCallingStationID & msRADIUSFramedIPAddress
You can validate user Ethernet MAC address received in RADIUS authentication requests against msNPCallingStationID value in Active Directory for Active Directory users.

You can assign static IP addresses to Active Directory users by settings msRADIUSFramedIPAddress Active Directory attribute.

msNPCallingStationID and msRADIUSFramedIPAddress attribute support requires a commercial license.
16.08.2019
Topic:
PEM Cert Conversion for PEAP Authentication

Admin
Admin
Administrator
Posts: 4931
Admin
Admin
Administrator
Posts: 4931
Topic: PEM Cert Conversion for PEAP Authentication
You welcome




Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software