(RADIATOR) TTLS + LDAP2+ Active Directory

Ângelo Rodrigues amr at fccn.pt
Fri Jan 7 12:27:55 CST 2005 

Hi,

I have a FreeBSD 4.10 running a Radiator 3.9 to authenticate
our Cisco Catalyst 3550 users (802.1x + eap-ttls). Our authentication
method  is "AuthBy FILE" and (until now) everything seems to work fine.

Now, I'm trying to config our Radiator to validate all password
against a Windows 2003 Active Directory. Since "AuthBy ADSI"
doesn't work in unix systems, I'm using  "AuthBy LDAP2"
to replace ADSI features but, it doesn't seems to work.

I've tried a lot of configurations but all without sucess :(((

Any ideias ?

Thanks :)

Angelo R.

My radius configuration:
#########################################
(...)
<Client 192.168.0.50>
        Secret XXXXXX
        Identifier LocalUser
</Client>
(...)
# Tunel TTLS
<Handler TunnelledByTTLS=1, Realm = dominio.teste.org >
        RewriteUsername s/^([^@]+).*/$1/
        <AuthBy LDAP2>
                Host            192.168.0.1
                AuthDN cn=Administrator,ou=Users,dc=dominio,dc=teste,dc=org
                AuthPassword    XXXXXX
                BaseDN          ou=Users,dc=dominio,dc=teste,dc=org
                ServerChecksPassword
                UsernameAttr sAMAccountName
                AuthAttrDef logonHours,MS-Login-Hours,check
        </AuthBy>
</Handler>
<Handler Realm =  /^dominio\.teste\.org$/ >
        <AuthBy FILE>
                EAPType                             PEAP, TTLS
                EAPTLS_CAFile 
/etc/radius/cert/demoCA/cacert.pem
                EAPTLS_CertificateFile 
/etc/radius/cert/cert-srv.pem
                EAPTLS_CertificateType          PEM
                EAPTLS_PrivateKeyFile 
/etc/radius/cert/cert-srv.pem
                EAPTLS_PrivateKeyPassword       whatever
                EAPTLS_MaxFragmentSize          1000
                AutoMPPEKeys
                SSLeayTrace             4
        </AuthBy>
        AuthLog localusers
        AcctLogFileName %L/local-detail.log
        AccountingHandled
</Handler>
#########################################

Logs ouput:
#########################################
(...)
Fri Jan  7 17:00:11 2005: DEBUG: Handling request with Handler 'Realm = 
/^dominio\.teste\.org$/'
Fri Jan  7 17:00:11 2005: DEBUG:  Deleting session for 
anonymous at dominio.teste.org, 192.168.0.50,
Fri Jan  7 17:00:11 2005: DEBUG: Handling with Radius::AuthFILE:
Fri Jan  7 17:00:11 2005: DEBUG: Handling with EAP: code 2, 6, 87
Fri Jan  7 17:00:11 2005: DEBUG: Response type 21
Fri Jan  7 17:00:11 2005: DEBUG: EAP TTLS inner authentication request for 
user3 at dominio.teste.org
Fri Jan  7 17:00:11 2005: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <233>9<240><193>'<169>><219><238>.<221><239><168>^}<19>
Attributes:
        User-Name = "user3 at dominio.teste.org"
        User-Password = "xxxxxx"

Fri Jan  7 17:00:11 2005: DEBUG: Handling request with Handler 
'TunnelledByTTLS=1, Realm = dominio.teste.org'
Fri Jan  7 17:00:11 2005: DEBUG: Rewrote user name to user3
Fri Jan  7 17:00:11 2005: DEBUG:  Deleting session for 
user3 at dominio.teste.org, 192.168.0.50,
Fri Jan  7 17:00:11 2005: DEBUG: Handling with Radius::AuthLDAP2:
Fri Jan  7 17:00:11 2005: INFO: Connecting to 192.168.0.1, port 389
Fri Jan  7 17:00:11 2005: INFO: Attempting to bind to LDAP server 
192.168.0.1:389)
Fri Jan  7 17:00:11 2005: ERR: Could not bind connection with 
cn=Administrator,ou=Users,dc=dominio,dc=teste,dc=org, XXXXXX,
error: LDAP_INVALID_CREDENTIALS (server 192.168.0.1:389).
Fri Jan  7 17:00:11 2005: ERR: Backing off from 192.168.0.1:389 for 600 
seconds.
Fri Jan  7 17:00:11 2005: DEBUG: EAP result: 2, EAP TTLS inner 
authentication redespatched to a Handler
Fri Jan  7 17:00:16 2005: DEBUG: Packet dump:
*** Received from 192.168.0.50 port 1812 ....
Code:       Access-Request
Identifier: 85
Authentic:  l<237><25><135><142><233><184><165><18>i+<131>,<229><11><177>
Attributes:
        NAS-IP-Address = 192.168.0.50
        NAS-Port-Type = Async
        User-Name = "anonymous at dominio.teste.org"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "00-06-5b-03-e0-b5"
        EAP-Message = 
<2><6><0>W<21><128><0><0><0>M<23><3><1><0>H<198><183><233><190>++K<149>v<m|LX 
<14><247><163>V<20>e<
249>b<155><162><30>,<169><21><12>6<141>&<236><30><136><154>j<255><197><152><157><144>C<19><129><10><232><132><127>%<169>4
R[<215>z<186>8[<4><215><195><28>3<156><24><161><212><255><135><157>
        Message-Authenticator = 
P<9><131><25>[~\<130><19><248><220><156><207>Ok
(...)
#########################################

Angelo Rodrigues - amr at fccn.pt
FCCN - Fundacao para a Computacao Cientifica Nacional
Av. do Brasil, 101 1700-066 Lisboa - Portugal
Tel: +351 218440100 Fax: +351 218472167
------------------------------------------------------------ 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list