Menu
What's new
By:
Filters Better Search

RADIUS / freeRADIUS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

W

WoodburyMan

New Around Here
With Windows 10 built in SSID / Password sharing features, I have been wanting to move from my current WPA2-PSK to WPA2-Enterprise setup with RADIUS, so that each user has to authenticate with a username / password. (Slightly less troublesome than MAC address filtering). I have successfully setup a small RaspberryPi running freeRADIUS and DaloRadius (to simplify adding/removing users) for a single setup and connected it as the RADIUS server on my RT-AC3200. Just wondering, if it were possible to setup, or how hard it would be to setup, a instance of freeRADIUS running directly on one of these Asus routers running Merlin? There are packages of freeRADIUS for all different architectures.
 
Couple of things...

1) WAP2-Enterprise - always keep the authenticator (RADIUS server) outside of the access nodes - this is basic security best practice

2) When running RADIUS, it's a point of failure that can result in everyone losing access, so always best to have some redundancy on that side - normally you'll see two behind a virtual interface for load-balancing and failover

3) FreeRADIUS is a great RADIUS server, and scales very nicely

4) MAC filtering with WPA2-PSK is unneeded overhead
 
WoodburyMan said:
With Windows 10 built in SSID / Password sharing features, I have been wanting to move from my current WPA2-PSK to WPA2-Enterprise setup with RADIUS, so that each user has to authenticate with a username / password. (Slightly less troublesome than MAC address filtering). I have successfully setup a small RaspberryPi running freeRADIUS and DaloRadius (to simplify adding/removing users) for a single setup and connected it as the RADIUS server on my RT-AC3200. Just wondering, if it were possible to setup, or how hard it would be to setup, a instance of freeRADIUS running directly on one of these Asus routers running Merlin? There are packages of freeRADIUS for all different architectures.
Click to expand...

The wiki has this tutorial:

https://github.com/RMerl/asuswrt-merlin/wiki/Setting-up-FreeRadius2-through-Entware

Cheers
 
HardCat said:
The wiki has this tutorial:

https://github.com/RMerl/asuswrt-merlin/wiki/Setting-up-FreeRadius2-through-Entware

Cheers
Click to expand...

unfortunately, all my workstations are running Windows 10 and per https://support.microsoft.com/en-us/kb/3121002, FreeRadius2 doesn't work when used with EAP-TTLS. I had tried the registry workaround to no avail and was wondering if anyone's had any luck with using freeradius2 on entware with Windows 10. My android devices connect just fine, however.
 
I kind of shelved this project and have been using wpa2 personal for my wireless needs with my Windows 10 workstations, but have found a bit of time to get back on this. I'm not sure what's meant by MS changing their MPPE key handling in relation to using the freeradius2 server on the Asus RT-AC68U with Windows 10 via EAP-TTLS. My belief is that the issue lies solely on the windows end and not on the server's, but i could be wrong. For clarity, I've included the settings for the wireless connection to my freeradius server. I've also included the error portion of the debug output on the server side. Thanks.


Code: 
Sun Jan 22 06:39:05 2017 : Info: ++[mschap] = noop
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP packet type response id 3 length 161
Sun Jan 22 06:39:05 2017 : Info: [eap] Continuing tunnel setup.
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = ok
Sun Jan 22 06:39:05 2017 : Info: +} # group authorize = ok
Sun Jan 22 06:39:05 2017 : Info: Found Auth-Type = EAP
Sun Jan 22 06:39:05 2017 : Info: # Executing group from file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:39:05 2017 : Info: +group authenticate {
Sun Jan 22 06:39:05 2017 : Info: [eap] Request found, released from the list
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] processing type ttls
Sun Jan 22 06:39:05 2017 : Info: [ttls] Authenticate
Sun Jan 22 06:39:05 2017 : Info: [ttls] processing EAP-TLS
Sun Jan 22 06:39:05 2017 : Debug:   TLS Length 151
Sun Jan 22 06:39:05 2017 : Info: [ttls] Length Included
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_verify returned 11
Sun Jan 22 06:39:05 2017 : Info: [ttls]     (other): before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls]     TLS_accept: before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0005] 
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0092] 
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0005] 
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0002] 
Sun Jan 22 06:39:05 2017 : Error: TLS Alert write:fatal:handshake failure
Sun Jan 22 06:39:05 2017 : Error:     TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error:     TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Sun Jan 22 06:39:05 2017 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Sun Jan 22 06:39:05 2017 : Debug: TLS receive handshake failed during operation
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_process returned 4
Sun Jan 22 06:39:05 2017 : Info: [eap] Handler failed in EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] Failed in EAP select
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = invalid
Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = invalid
Sun Jan 22 06:39:05 2017 : Info: Failed to authenticate the user.
Sun Jan 22 06:39:05 2017 : Info: Using Post-Auth-Type Reject
Sun Jan 22 06:39:05 2017 : Info:   WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
Sun Jan 22 06:39:05 2017 : Info: Delaying reject of request 1 for 5 seconds
Sun Jan 22 06:39:05 2017 : Debug: Going to the next request
Sun Jan 22 06:39:05 2017 : Debug: Waking up in 0.9 seconds.
Sun Jan 22 06:39:06 2017 : Debug: Waking up in 3.9 seconds.

foIod.png
 
Last edited:
You must log in or register to reply here.

Similar threads

M
802.11r - Airmesh and Raspberry pi RADIUS server
Replies
0
Views
1K
mister
M
A
Devices connect to my openvpn server correctly but no traffic from server to client
Replies
6
Views
1K
ragtap
R
Julio Urquidi
EnGenius Announces New EnSky Wi-Fi 6 Outdoor Access Point
Replies
12
Views
6K
thiggins
thiggins
D
Dynamic VLAN Support
Replies
5
Views
4K
RMerlin
RMerlin
S
ASUS AC1900 and RADIUS server issues
Replies
1
Views
4K
degrub
D

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 717 (members: 25, guests: 692)
Top