Powered by Jitbit .Net Forum free trial version. dismiss

recent posts recent posts - RSS

16 days ago
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: Configuring two authentication method
Can you send TekRADIUS log entries for an EAP-TLS authentication attempt which should be failed with Require local certificate for EAP-TLS is option set to yasin.kaplan at kaplansoft.com? Please also send me TekRADIUS.ini file under C:\Program Files (x86)\TekRADIUS
17 days ago
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hi,

No luck it's still not working.
When I applied the TekRADIUS-status attribute as disable on the default group to force TekRADIUS to use others group (otg / otg_test).
I cannot authenticate anymore:

Aruba-Location-Id = 011PWLAP002P002
Aruba-Essid-Name = VITEtest
Aruba-AP-Group = VITWiFi
NAS-IP-Address = 10.1.1.129
Calling-Station-Id = 285aeb95712f
Called-Station-Id = 3817c3c06418
Aruba-Device-Type = iPhone
NAS-Port = 0
NAS-Identifier = VITEtest
State = a0106dec890992030ee86db30f0f2b9b
Framed-MTU = 1100
NAS-Port-Type = 19
User-Name = @
Service-Type = 2

05.09.2019 09:55:41.096 - User account '@' is disabled (TekRADIUS-Status).
05.09.2019 09:55:41.096 - EAP-PEAP Authentication commencing for user '@' (Windows User) [5 (111)]
05.09.2019 09:55:41.096 - PEAPv0-MS-CHAP v2 failed for user '@', sending Access-Reject (Group: Default).
05.09.2019 09:55:41.096 - Authentication failed. User account '@' or group 'Default' is disabled
17 days ago
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: Configuring two authentication method
Here is another update; https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip Please try and let me know the result please.
17 days ago
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hi

We applied the update and use the "Require local certificate for EAP-TLS" option but no luck it's still not working. I feel like the TekRADIUS take attributes from default user and group only. When we create custom user and group and apply attributes, it doesn't affect the authentication.

Thanks,
Glork
18 days ago
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: Configuring two authentication method
Please apply update at https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip

You will see a new parameter at Settings / Service Parameters / Require Local Certificate for EAP-TLS. Check it and save settings. This will force TekRADIUS to reject EAP-TLS authentication attempts if no user local profile with TLS-Client-Certificate found.
18 days ago
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: Configuring two authentication method
I'll update you in 12 hours.
19 days ago
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Yes I have and it's working fine !
However a device without EAP-TLS as preferred EAP method (then without certificate issued by us) is able to connect on the Wi-Fi as well using PEAP, we don't want that. How can we configure it?

Logs for EAP-TLS authen - VIT-Access SSID


Logs for PEAP authen - VIT-Access SSID


Thanks,
19 days ago
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: Configuring two authentication method
Have you set EAP-TLS as preffered EAP method in clients where EAP-TLS will be used as authentication method as instructed at https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/905663/configuring-windows-10-wireless-profile-to-use-certificate ?
19 days ago
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hi,

Thank for your quick reply.

Well, that's normal I want to prevent clients to connect on VIT-Access if they are using PEAP instead of EAP-TLS.
I confirm that EAP is configured as authentication method in the 'OTG' Group.

Thanks,
Glork
19 days ago
Topic:
Configuring two authentication method

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: Configuring two authentication method
Hi,

As far as I see from the log entries, client prefers PEAP in place of EAP-TLS. Can you confirm that if EAP-TLS is selected as EAP authentication method?

Best regards,

Yasin KAPLAN
20 days ago
Topic:
Configuring two authentication method

Glork_78
Glork_78
Posts: 5
Hello,

We are trying to use TekRadius to authenticate Wifi users in my company with two different authentication method. SSID 'VIT-Access' using EAP-TLS (certificate) and VITEtest on PEAP (username /password).

Does anyone can tell me how to setup this with TekRadius?


I've created two users :
- VIT-Access in group 'OTG'
-Attributes: Aruba-AP-Group = VITWiFi; Aruba-Essid-Name = VIT-Access; TLS-Client-Certificate = Server_name; TLS-Server-Certificate = Server_name
- Group OTG attributes : Authentication-Method = EAP; Windows-Domain = company_domain

-VITEtest in group 'OTG_test'
- Attributes: Aruba-AP-Group = VITIWiFi; Aruba-Essid-Name = VITEtest
- Groups OTG_test attributes: Authentication-Method = Windows; Windows-domain = company domain

PEAP authen on VIT-Access:


EAP authen on either VIT-access and VITEtest:


Unfortunately this configuration doesn't work when I connect a device on either VIT-Access or VITEtest it always connects with PEAP authen method. If I apply an EAP method in default group either VIT-Access or VITEtest are not accessible for devices which doesnt have a certificate. I've attached logs details.



Thank you,
Glork,
25 days ago
Topic:
msNPCallingStationID & msRADIUSFramedIPAddress

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: msNPCallingStationID & msRADIUSFramedIPAddress
You can validate user Ethernet MAC address received in RADIUS authentication requests against msNPCallingStationID value in Active Directory for Active Directory users.

You can assign static IP addresses to Active Directory users by settings msRADIUSFramedIPAddress Active Directory attribute.

msNPCallingStationID and msRADIUSFramedIPAddress attribute support requires a commercial license.
16.08.2019
Topic:
PEM Cert Conversion for PEAP Authentication

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: PEM Cert Conversion for PEAP Authentication
You welcome
16.08.2019
Topic:
PEM Cert Conversion for PEAP Authentication

dutani
dutani
Posts: 3
That fixed my issue. Thank you so much!
14.08.2019
Topic:
PEM Cert Conversion for PEAP Authentication

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: PEM Cert Conversion for PEAP Authentication
You should also ask for private key if this certificate was used for PEAP authentication. I recommend you to combine .pem with its associated private key into a .pfx file and then import it; https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
14.08.2019
Topic:
PEM Cert Conversion for PEAP Authentication

dutani
dutani
Posts: 3
The cert was already imported in both the Personal and Root folders. Whenever I create a test cert through TekCERT with a purpose of "All" and have it stored in those same directories, I am able to view the test cert as either Client or Server.


There is no associated private key with the .pem cert that has been provided to me.

To me it appears that the software sees the cert as a Client cert whenever it should see it as both.
14.08.2019
Topic:
PEM Cert Conversion for PEAP Authentication

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: PEM Cert Conversion for PEAP Authentication
Hi,

You need to import the certificate with its associated private key to Windows Certificate Store / Local Machine / Personal folder and you must set private key exportable while importing.

Best regards,

Yasin KAPLAN
13.08.2019
Topic:
PEM Cert Conversion for PEAP Authentication

dutani
dutani
Posts: 3
I received a .pem cert from a customer which they use as their server cert for PEAP authentication; they use a different RADIUS service. I imported this cert on my RADIUS server, however it seems that the software is reading it with a purpose of "Client Authentication" even though the cert is for both client and server. When I try to check for the attribute "TLS-Server-Certificate" the cert is not there, however it does populate if I select "TLS-Client-Certificate". Attached are the relevant images.

Is this a bug in the software in its inability to read a cert with a dual purpose?
11.08.2019
Topic:
TekRADIUS LT 5.5 Active Sessions do not appear

Admin
Admin
Administrator
Posts: 4927
Admin
Admin
Administrator
Posts: 4927
Topic: TekRADIUS LT 5.5 Active Sessions do not appear
You welcome ve bayramınız kutlu olsun.
11.08.2019
Topic:
TekRADIUS LT 5.5 Active Sessions do not appear

Zeynep
Zeynep
Posts: 26
It actually did. Thank you very much indeed. Great support especially on the first day of bayram. Happy Eid-el Adha.




Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software