Powered by Jitbit .Net Forum free trial version. dismiss

HomeInstallation

Installation Issues

Configuring two authentication method Messages in this topic - RSS

Glork_78
Glork_78
Posts: 7


2.09.2019
Glork_78
Glork_78
Posts: 7
Hello,

We are trying to use TekRadius to authenticate Wifi users in my company with two different authentication method. SSID 'VIT-Access' using EAP-TLS (certificate) and VITEtest on PEAP (username /password).

Does anyone can tell me how to setup this with TekRadius?


I've created two users :
- VIT-Access in group 'OTG'
-Attributes: Aruba-AP-Group = VITWiFi; Aruba-Essid-Name = VIT-Access; TLS-Client-Certificate = Server_name; TLS-Server-Certificate = Server_name
- Group OTG attributes : Authentication-Method = EAP; Windows-Domain = company_domain

-VITEtest in group 'OTG_test'
- Attributes: Aruba-AP-Group = VITIWiFi; Aruba-Essid-Name = VITEtest
- Groups OTG_test attributes: Authentication-Method = Windows; Windows-domain = company domain

PEAP authen on VIT-Access:


EAP authen on either VIT-access and VITEtest:


Unfortunately this configuration doesn't work when I connect a device on either VIT-Access or VITEtest it always connects with PEAP authen method. If I apply an EAP method in default group either VIT-Access or VITEtest are not accessible for devices which doesnt have a certificate. I've attached logs details.



Thank you,
Glork,

0 link
Admin
Admin
Administrator
Posts: 4992


2.09.2019
Admin
Admin
Administrator
Posts: 4992
Hi,

As far as I see from the log entries, client prefers PEAP in place of EAP-TLS. Can you confirm that if EAP-TLS is selected as EAP authentication method?

Best regards,

Yasin KAPLAN
0 link
Glork_78
Glork_78
Posts: 7


2.09.2019
Glork_78
Glork_78
Posts: 7
Hi,

Thank for your quick reply.

Well, that's normal I want to prevent clients to connect on VIT-Access if they are using PEAP instead of EAP-TLS.
I confirm that EAP is configured as authentication method in the 'OTG' Group.

Thanks,
Glork
0 link
Admin
Admin
Administrator
Posts: 4992


2.09.2019
Admin
Admin
Administrator
Posts: 4992
Have you set EAP-TLS as preffered EAP method in clients where EAP-TLS will be used as authentication method as instructed at https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/905663/configuring-windows-10-wireless-profile-to-use-certificate ?
0 link
Glork_78
Glork_78
Posts: 7


3.09.2019
Glork_78
Glork_78
Posts: 7
Yes I have and it's working fine !
However a device without EAP-TLS as preferred EAP method (then without certificate issued by us) is able to connect on the Wi-Fi as well using PEAP, we don't want that. How can we configure it?

Logs for EAP-TLS authen - VIT-Access SSID


Logs for PEAP authen - VIT-Access SSID


Thanks,

0 link
Admin
Admin
Administrator
Posts: 4992


3.09.2019
Admin
Admin
Administrator
Posts: 4992
I'll update you in 12 hours.
0 link
Admin
Admin
Administrator
Posts: 4992


3.09.2019
Admin
Admin
Administrator
Posts: 4992
Please apply update at https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip

You will see a new parameter at Settings / Service Parameters / Require Local Certificate for EAP-TLS. Check it and save settings. This will force TekRADIUS to reject EAP-TLS authentication attempts if no user local profile with TLS-Client-Certificate found.
0 link
Glork_78
Glork_78
Posts: 7


4.09.2019
Glork_78
Glork_78
Posts: 7
Hi

We applied the update and use the "Require local certificate for EAP-TLS" option but no luck it's still not working. I feel like the TekRADIUS take attributes from default user and group only. When we create custom user and group and apply attributes, it doesn't affect the authentication.

Thanks,
Glork
0 link
Admin
Admin
Administrator
Posts: 4992


4.09.2019
Admin
Admin
Administrator
Posts: 4992
Here is another update; https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip Please try and let me know the result please.
0 link
Glork_78
Glork_78
Posts: 7


5.09.2019
Glork_78
Glork_78
Posts: 7
Hi,

No luck it's still not working.
When I applied the TekRADIUS-status attribute as disable on the default group to force TekRADIUS to use others group (otg / otg_test).
I cannot authenticate anymore:

Aruba-Location-Id = 011PWLAP002P002
Aruba-Essid-Name = VITEtest
Aruba-AP-Group = VITWiFi
NAS-IP-Address = 10.1.1.129
Calling-Station-Id = 285aeb95712f
Called-Station-Id = 3817c3c06418
Aruba-Device-Type = iPhone
NAS-Port = 0
NAS-Identifier = VITEtest
State = a0106dec890992030ee86db30f0f2b9b
Framed-MTU = 1100
NAS-Port-Type = 19
User-Name = @
Service-Type = 2

05.09.2019 09:55:41.096 - User account '@' is disabled (TekRADIUS-Status).
05.09.2019 09:55:41.096 - EAP-PEAP Authentication commencing for user '@' (Windows User) [5 (111)]
05.09.2019 09:55:41.096 - PEAPv0-MS-CHAP v2 failed for user '@', sending Access-Reject (Group: Default).
05.09.2019 09:55:41.096 - Authentication failed. User account '@' or group 'Default' is disabled
0 link
Admin
Admin
Administrator
Posts: 4992


5.09.2019
Admin
Admin
Administrator
Posts: 4992
Can you send TekRADIUS log entries for an EAP-TLS authentication attempt which should be failed with Require local certificate for EAP-TLS is option set to yasin.kaplan at kaplansoft.com? Please also send me TekRADIUS.ini file under C:\Program Files (x86)\TekRADIUS
0 link






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software