[RADIATOR] Authby LSA and groups not working (redux)

Pearson, Mark mark.pearson at ntu.ac.uk
Fri Oct 1 04:13:25 CDT 2010 

Hi, I have it working by running Radiator on a server in the domain.
Note that you need 4.7 to use the magic bit UsernameMatchesWithoutRealm.
Nothing is needed on the actual DCs regarding Radiator in our case.

<Handler TunnelledByPEAP=1>
 <AuthBy LSA>
### The next line strips the @realm portion to allow AD to authenticate
against it
  UsernameMatchesWithoutRealm
  EAPType MSCHAP-V2
 </AuthBy>
</Handler>

### This is the outer request where username at ntu.ac.uk are captured
 
<Handler Realm=somewhere.ac.uk>
 <AuthBy FILE>
  Filename %D/users
  
### This tells the PEAP client what types of inner EAP requests we will
honour
  EAPType PEAP, TTLS
  EAPTLS_CAFile %D/certificates/terenasslca.pem
  EAPTLS_CertificateFile %D/certificates/final-cert.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile %D/certificates/mykey.pem
  EAPTLS_PrivateKeyPassword
  EAPTLS_MaxFragmentSize 1000
  AutoMPPEKeys
  SSLeayTrace 4
  EAPTLS_PEAPVersion 0
  
### Added EAPAnonymous %{User-Name} to the outer AuthBy 
### This will send the outer username  as the inner username 
### (instead of "anonymous")

  EAPAnonymous %{User-Name}

 </AuthBy>
</Handler> 


regards
Mark Pearson
Senior Technical Support Analyst
Information Systems
Nottingham Trent University

tel: 0115 8488287

-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au]
On Behalf Of Mike McCauley
Sent: 01 October 2010 01:03
To: Johnson, Neil M
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)

Hello Neil,

On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> No, I'm running it on a member server.
>
> Our AD administrators are very reluctant to run applications on PDC's 
> and BDC's. I can ask but I don't think I will get permission.
>
> Will it work on a BDC ?
>
> If not, do I have any other options ? Currently I'm using Radiator to 
> proxy 802.1X requests to Juniper Steel-Belted Radius in order to 
> re-write VLAN attributes. I was kind of hoping to eliminate SBR in 
> part to simplify support for Eduroam.

Tests here show that it works OK on any domain member provided that the
user who is running the script is logged in to the domain.

Cheers.

>
> Thanks.
>
> -Neil
>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-johnson at uiowa.edu
>
>
> -----Original Message-----
> From: radiator-bounces at open.com.au 
> [mailto:radiator-bounces at open.com.au] On Behalf Of Mike McCauley Sent:

> Wednesday, September 29, 2010 9:22 PM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
>
> Hello Neil,
>
> tests here show that your script (suitably modified) works provided 
> you run it on the PDC as the administrator.
>
> Is that how you are testing?
>
> Cheers.
>
> On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > I whipped up a script based on what I could find in the source code 
> > to test group membership and it doesn't seem to matter if the group 
> > is local or global, it can't find it:
> >
> > #!c:\perl64\bin\perl.exe
> >
> > use strict;
> > use Win32::NetAdmin;
> >
> > my $User = "nmjoo";
> > my $Group = "ITS-WIRELESS";
> > my $Domain = "IOWA";
> > my $Server = "";
> >
> > print "Getting Domain Controller\n"; 
> > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print 
> > "Domain Controller for Domain $Domain is $Server\n";
> >
> > print "Checking to see if user: $User is member of Group: $Group\n";

> > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
> >
> >                 || Win32::NetAdmin::LocalGroupIsMember($Server,
$Group,
> >                 || $User)) {
> >
> >                 print "$User is Member of group $Group"; } else {
> >                 print "$User is not Member of group $Group"; }
> >
> > Output:
> >
> > C:\Program Files\Radiator>test2.pl
> > Getting Domain Controller
> > Domain Controller for Domain IOWA is \\IOWADC1
> > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> > nmjoo is not Member of group ITS-WIRELESS
> > C:\Program Files\Radiator>
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-johnson at uiowa.edu



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia
http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


This email is intended solely for the addressee.  It may contain private and confidential information.  If you are not the intended addressee, please take no action based on it nor show a copy to anyone.  In this case, please reply to this email to highlight the error.  Opinions and information in this email that do not relate to the official business of Nottingham Trent University shall be understood as neither given nor endorsed by the University.
Nottingham Trent University has taken steps to ensure that this email and any attachments are virus-free, but we do advise that the recipient should check that the email and its attachments are actually virus free.  This is in keeping with good computing practice.

More information about the radiator mailing list