(RADIATOR) LEAP and AuthBy LDAP2
ZAGO, Mauro
mauro.zago at unitn.it
Wed Jul 16 04:04:49 CDT 2003
Dear all,
I am trying to configure Radiator as radius server for a Cisco Aironet 340.
My userlist is on an OpenLDAP server.
It seams that Radiator is unable to interpret SHA password that come from LDAP in conjunction with "EAPType LEAP"!!!!
SHA password is correctly interpreted when I use another Handler (without EAPType LEAP).
Plaintext passwords are allways working!
Radius.cfg:
<Client 192.168.xxx.xxx>
Secret mysecret
DupInterval 0
DefaultRealm wireless.realm
</Client>
#
# Not working Handler
#
<Handler Realm=wireless.realm>
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueWhileReject
<AuthBy LDAP2>
Host ldap.mydomain.com
Port 389
BaseDN dc=mydomain,dc=com
UsernameAttr uid
PasswordAttr userPassword
ServerChecksPassword
EAPType LEAP
</AuthBy>
</Handler>
#
# Working Handler (for other clients - Cisco Access Point)
#
<Handler>
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueWhileReject
MaxSessions 2
<AuthBy SQL>
DBSo dce dbi:mysql:xxxxx:localhost
DBUsername xxxxx
DBAuth xxxxxxxxxx
AuthSelect select password, profile, freezed from dbo_userlist where name='%n'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, cisco-avpair, reply
AuthColumnDef 2, Prohibit, check
AddToReply Service-Type=Framed-User,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0,Framed-Compression=Van-Jacobson-
TCP-IP,Framed-MTU=1500,cisco-avpair="ip:dns-servers=193.205.206.23 193.205.195.12",Framed-Routing=None
AccountingTable ACCOUNTING
AcctColumnDef .....
AcctColumnDef .....
.....
</AuthBy>
<AuthBy LDAP2>
Host ldap.mydomain.com
Port 389
AuthDN cn=Manager,dc=maydomain,dc=com
AuthPassword xxxxxxxx
BaseDN dc=mydomain,dc=it
UsernameAttr uid
PasswordAttr userPassword
HoldServerConnection
AddToReply ..........
</AuthBy>
</Handler>
Logfile:
# When is used "wireless.realm"
....
Wed Jul 16 10:18:35 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jul 16 10:18:35 2003: DEBUG: Handling with EAP: code 2, 48, 42
Wed Jul 16 10:18:35 2003: DEBUG: Response type 17
Wed Jul 16 10:18:35 2003: INFO: Connecting to ldap.mydomain.com, port 389
Wed Jul 16 10:18:35 2003: INFO: Attempting to bind to LDAP server ldap.mydomain.com:389)
Wed Jul 16 10:18:36 2003: DEBUG: LDAP got result for cn=Surname Name,ou=unit1,dc=mydomain,dc=com
....
Wed Jul 16 10:18:36 2003: DEBUG: LDAP got userPassword: {SHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Wed Jul 16 10:18:36 2003: DEBUG: Radius::AuthLDAP2 looks for match with name.surname
Wed Jul 16 10:18:36 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jul 16 10:18:36 2003: INFO: Access rejected for name.surname: Bad LEAP Password
....
# When is used default Handler (Access point Cisco - client of this realm)
.....
Mon Jul 14 14:29:50 2003: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jul 14 14:29:50 2003: INFO: Connecting to ldap.mydomain.com, port 389
Mon Jul 14 14:29:50 2003: INFO: Attempting to bind to LDAP server ldap.mydomain.com:389)
Mon Jul 14 14:29:50 2003: DEBUG: LDAP got result for cn=Surname Name,ou=unit1,dc=mydomain,dc=com
Mon Jul 14 14:29:50 2003: DEBUG: LDAP got userPassword: {SHA}xxxxxxxxxxxxxxxxxxxxxxxxxxx
Mon Jul 14 14:29:50 2003: DEBUG: Radius::AuthLDAP2 looks for match with name.surname
Mon Jul 14 14:29:50 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Jul 14 14:29:50 2003: DEBUG: Access accepted for name.surname
.....
Thanks in advance for all your responses.
PS: sorry for my orrible english
********************************
Mauro Zago
Università degli Studi di Trento
ATI Network
Via Briamasco, 2
38100 - Trento - Italia
*********************************
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list