(RADIATOR) Radiator and LDAP2 - multiple realm

Hugh Irvine hugh at open.com.au
Tue Oct 14 20:55:51 CDT 2003 

Hello Steve -

I think I will need a bit more detail regarding your requirements, as I 
am not sure I understand.

Could you also please send me a trace 4 debug from Radiator showing 
what is happening.

regards

Hugh


On Wednesday, Oct 15, 2003, at 05:55 Australia/Melbourne, Steve 
Caporossi wrote:

> I am running radiator 3.7.1 on RH7.3.  We are, and have been using 
> AuthBy UNIX and the Odyssey Client for months to authenticate our 
> wireless users.  Now, I would like to authenticate users based on 
> whether or not they are trying to login to the domain or not.  When a 
> user logs in with domain\username, I have been unable to get the 
> request to be handled by the proper handler. I have placed the rewrite 
> username in multiple locations but, never see the handler being used, 
> only the tunnelled by TTLS is ever invoked.  I have read the manual 
> but obviously missed something...Can someone point me in the right 
> direction?
>
> As a workaround, I tried using ContinueUntilAccept in the tunnelled by 
> TTLS handler and then I fail with the info below.  I verified  the 
> username and password are correct so, is there another module > 
> required?
>
> See below....
> Mon Oct 13 16:03:59 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Oct 13 16:03:59 2003: INFO: Connecting to <servername>, port 389
> Mon Oct 13 16:03:59 2003: INFO: Attempting to bind to LDAP server 
> <servername>:389)
> Mon Oct 13 16:03:59 2003: ERR: Could not bind connection with 
> CN=Radtest,OU=admin,DC=testrealm,DC=local, <password>, error: 
> LDAP_INVALID_CREDENTIALS (server <servername>:389).
> Mon Oct 13 16:03:59 2003: ERR: Backing off from <servername>:389 for 
> 600 seconds
>
> Thanks,
> -- 
> Steve
> <Client DEFAULT>
>         Identifier wlan
>         Secret mysecret
>         DupInterval 2
>         IgnoreAcctSignature
> </Client>
>
>
>  <Handler TunnelledByTTLS=1,Realm=testrealm>
>         AuthByPolicy ContinueUntilAccept
>
>         # Strip realm if in MSN format
>         RewriteUsername s/(.*)\\(.*)/$2/
>
>         # strips the realm from a User-Name before authenticating it
>         RewriteUsername s/^([^@]+).*/$1/
>
>         <AuthBy LDAP2>
>                 Host    dc1.labnet.local
>                 AuthDN CN=Radtest,OU=admin,DC=testrealm,DC=local
>                 AuthPassword    <password>
>                 AuthPassword    <password>
>                 BaseDN          OU=AD Users,DC=testrealm,DC=local
>                 ServerChecksPassword
>                 UsernameAttr samaccountname
>         </AuthBy>
>
>  </Handler>
>
>  <Handler TunnelledByTTLS=1>
>         AuthByPolicy ContinueUntilAccept
>
>         # Strip realm if in MSN format
>         RewriteUsername s/(.*)\\(.*)/$2/
>
>         # strips the realm from a User-Name before authenticating it
>         RewriteUsername s/^([^@]+).*/$1/
>
>         <AuthBy UNIX>
>                 # anonymous-PEAP must be in here:
>                 Filename /etc/wlanpeople
>         </AuthBy>
>  </Handler>
>
> <Handler Client-Identifier=wlan>
>
>         AuthByPolicy ContinueAlways
>         #AuthByPolicy ContinueWhileIgnore      # Default
>
>         # Strip realm if in MSN format
>         # RewriteUsername s/(.*)\\(.*)/$2/
>
>         # Convert a MSN realm\user into user at realm
>         # RewriteUsername        s/^(.*)\\(.*)/$2\@$1/
>
>         # strips the realm from a User-Name before authenticating it
>         # RewriteUsername s/^([^@]+).*/$1/
>
>
>         <AuthBy SQL>
>                 DBSource        dbi:mysql:radius
>                 DBSource        
> dbi:mysql:database=radius;host=radserver.musc.edu
>                 DBUsername      radtest
>                 DBAuth          radpwd
>
>                 AuthSelect
>
>                 # Only insert Start and Stop requests, ack everything 
> else
>                 HandleAcctStatusTypes Start,Stop
>
>                 AccountingTable ACCOUNTING
>
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   CONNTYPE,%{Client:Identifier},formatted
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef   
> TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef   
> ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASIPADDRESS,NAS-IP-Address
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>                 AcctColumnDef   ACCTAUTHENTIC,Acct-Authentic
>
>                 AcctFailedLogFileName 
> %L/%{Client:Identifier}/%m%d%y.missedaccounting.log
>         </AuthBy>
>
>
>         <AuthBy FILE>
>
>         # Strip realm if in MSN format
>         # RewriteUsername s/(.*)\\(.*)/$2/
>
>         # Convert a MSN realm\user into user at realm
>         RewriteUsername        s/^(.*)\\(.*)/$2\@$1/
>
>         # strips the realm from a User-Name before authenticating it
>         # RewriteUsername s/^([^@]+).*/$1/
>
>                 Filename /etc/radiator/users
>
>                 EAPType TTLS
>
>                 EAPTLS_CAFile /usr/local/certs/radtest.pem
>
>                 EAPTLS_CertificateFile /usr/local/certs/radtest.pem
>                 EAPTLS_CertificateType PEM
>
>                 EAPTLS_PrivateKeyFile /usr/local/certs/radtest.pem
>                 EAPTLS_PrivateKeyPassword <keypasswd>
>
>                 EAPTLS_MaxFragmentSize 1024
>
>                 AutoMPPEKeys
>
>                 SSLeayTrace 4
>
>                 # EAPAnonymous anonymous
>
>                 # Default is enabled
>                 #EAPTLS_SessionResumption 0
>
>                 #EAPTLS_SessionResumptionLimit 10
>
>         </AuthBy>
>
>        PreProcessingHook file:"/etc/radiator/eap_anon_hook.pl"
>        PostAuthHook file:"/etc/radiator/eap_anon_hook.pl"
>
>         # Log accounting to a detail file
>        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>
> </Handler>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.



NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list