search

retailnext / node-radius

Node.js RADIUS library for packet encoding and decoding.
Other
200 stars 60 forks source link

Openwrt, Linux #43

Closed boredland closed 6 years ago

boredland commented 6 years ago

Hi there! I try to use this from linux and via openwrt. I configured a WPA-EAP network and a server that listens to the radius requests using this library. Sadly, the user-password doesn't get decrypted. I guess this is due to me having either not configured openwrt or my computer correctly. What seem to be the correct configurations for the router and the end-points?

As of now i have for

Client:

Security: WPA & WPA2 Enterprise Auth: Tunneled TLS Inner Auth: PAP user: user password: pass

Openwrt Router: Encryption: WPA-EAP Cipher: CCMP and TKIP

psanford commented 6 years ago

I've not tried using TTLS+PAP before, but based on rfc5281 it sounds like it should work with node-radius.

The most obvious thing to check is to make sure the shared secret between the router and the node-radius instance is the same.

boredland commented 6 years ago

I tried that again, I dont think it is the password. This is the content of packet.attributes, I guess I wouldn't come that far if the shared secret was wrong:

Packet Attributes: {"User-Name":"CORRECTUSERNAME","Called-Station-Id":"54-E6-FC-D2-54-36:TestSolutions","NAS-Port-Type":"Wireless-802.11","NAS-Port":1,"Calling-Station-Id":"18-5E-0F-DD-E5-D7","Connect-Info":"CONNECT 54Mbps 802.11g","Acct-Session-Id":"5AFC50BB-00000003","Framed-MTU":1400,"EAP-Message":{"type":"Buffer","data":[2,74,0,36,1,106,111,110,97,115,46,115,116,114,97,115,115,101,108,64,116,101,115,116,115,111,108,117,116,105,111,110,115,46,100,101]},"Message-Authenticator":{"type":"Buffer","data":[27,30,39,215,55,112,82,47,102,192,247,211,245,191,84,45]}}

psanford commented 6 years ago

Can you provide a pcap of the Access-Request payload along with the shared secret?

boredland commented 6 years ago

Here the config details from openwrts luci and my client pc. luci_eap wifi_ui_eap

The shared secret is "abc". pcap.zip

psanford commented 6 years ago

The Access-Request packet in that pcap doesn't have a User-Password attribute in it. The packet does include an inner EAP-Message, but node-radius doesn't support that (see #29).

I'm not sure if the issue is that your router isn't actually configured to do TTLS/PAP or that TTLS/PAP doesn't set the User-Password attribute.

In any case the Access-Request payload will need to have the User-Password attribute set in order to do user auth via node-radius.

boredland commented 6 years ago

So I guess I need to get openwrt to NOT use EAP. At least the UI doesn't provide such an option afaik. Will ask there!