(RADIATOR) LEAP and AuthBy LDAP2

Hugh Irvine hugh at open.com.au
Wed Jul 16 04:23:23 CDT 2003 

Hello Mauro -

You are correct, you will need to use plaintext passwords with LEAP.

regards

Hugh


On Wednesday, Jul 16, 2003, at 19:04 Australia/Melbourne, ZAGO, Mauro  
wrote:

> Dear all,
>         I am trying to configure Radiator as radius server for a Cisco  
> Aironet 340.
> My userlist is on an OpenLDAP server.
> It seams that Radiator is unable to interpret SHA password that come  
> from LDAP in conjunction with "EAPType LEAP"!!!!
> SHA password is correctly interpreted when I use another Handler  
> (without EAPType LEAP).
> Plaintext passwords are allways working!
>
>
>
> Radius.cfg:
> <Client 192.168.xxx.xxx>
>   Secret  mysecret
>   DupInterval 0
>   DefaultRealm wireless.realm
> </Client>
> #
> # Not working Handler
> #
> <Handler Realm=wireless.realm>
>   RewriteUsername s/^([^@]+).*/$1/
>   AuthByPolicy ContinueWhileReject
>   <AuthBy LDAP2>
>     Host ldap.mydomain.com
>     Port 389
>     BaseDN dc=mydomain,dc=com
>     UsernameAttr uid
>     PasswordAttr userPassword
>     ServerChecksPassword
>     EAPType LEAP
>   </AuthBy>
> </Handler>
>
> #
> # Working Handler (for other clients - Cisco Access Point)
> #
> <Handler>
>   RewriteUsername  s/^([^@]+).*/$1/
>   AuthByPolicy ContinueWhileReject
>   MaxSessions 2
>   <AuthBy SQL>
>     DBSo dce  dbi:mysql:xxxxx:localhost
>     DBUsername  xxxxx
>     DBAuth  xxxxxxxxxx
>     AuthSelect select password, profile, freezed from dbo_userlist  
> where name='%n'
>     AuthColumnDef 0, User-Password, check
>     AuthColumnDef 1, cisco-avpair, reply
>     AuthColumnDef 2, Prohibit, check
>     AddToReply  
> Service-Type=Framed-User,Framed-Protocol=PPP,Framed-IP- 
> Netmask=255.255.255.0,Framed-Compression=Van-Jacobson-
> TCP-IP,Framed-MTU=1500,cisco-avpair="ip:dns-servers=193.205.206.23  
> 193.205.195.12",Framed-Routing=None
>     AccountingTable  ACCOUNTING
>     AcctColumnDef  .....
>     AcctColumnDef  .....
>     .....
>   </AuthBy>
>   <AuthBy LDAP2>
>     Host ldap.mydomain.com
>     Port 389
>     AuthDN cn=Manager,dc=maydomain,dc=com
>     AuthPassword xxxxxxxx
>     BaseDN dc=mydomain,dc=it
>     UsernameAttr uid
>     PasswordAttr userPassword
>     HoldServerConnection
>     AddToReply ..........
>   </AuthBy>
> </Handler>
>
>
>
>
>
> Logfile:
>
> # When is used "wireless.realm"
> ....
> Wed Jul 16 10:18:35 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jul 16 10:18:35 2003: DEBUG: Handling with EAP: code 2, 48, 42
> Wed Jul 16 10:18:35 2003: DEBUG: Response type 17
> Wed Jul 16 10:18:35 2003: INFO: Connecting to ldap.mydomain.com, port  
> 389
> Wed Jul 16 10:18:35 2003: INFO: Attempting to bind to LDAP server  
> ldap.mydomain.com:389)
> Wed Jul 16 10:18:36 2003: DEBUG: LDAP got result for cn=Surname  
> Name,ou=unit1,dc=mydomain,dc=com
> ....
> Wed Jul 16 10:18:36 2003: DEBUG: LDAP got userPassword:  
> {SHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Wed Jul 16 10:18:36 2003: DEBUG: Radius::AuthLDAP2 looks for match  
> with name.surname
> Wed Jul 16 10:18:36 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Wed Jul 16 10:18:36 2003: INFO: Access rejected for name.surname: Bad  
> LEAP Password
> ....
>
> # When is used default Handler (Access point Cisco - client of this  
> realm)
> .....
> Mon Jul 14 14:29:50 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Jul 14 14:29:50 2003: INFO: Connecting to ldap.mydomain.com, port  
> 389
> Mon Jul 14 14:29:50 2003: INFO: Attempting to bind to LDAP server  
> ldap.mydomain.com:389)
> Mon Jul 14 14:29:50 2003: DEBUG: LDAP got result for cn=Surname  
> Name,ou=unit1,dc=mydomain,dc=com
> Mon Jul 14 14:29:50 2003: DEBUG: LDAP got userPassword:  
> {SHA}xxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mon Jul 14 14:29:50 2003: DEBUG: Radius::AuthLDAP2 looks for match  
> with name.surname
> Mon Jul 14 14:29:50 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Mon Jul 14 14:29:50 2003: DEBUG: Access accepted for name.surname
> .....
>
>
>
> Thanks in advance for all your responses.
>
> PS: sorry for my orrible english
>
>
> ********************************
> Mauro Zago
>
> Università degli Studi di Trento
> ATI Network
> Via Briamasco, 2
> 38100 - Trento - Italia
>
> *********************************
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list