(RADIATOR) ADSI and EAP
Christian Fredrickson
fredrick at eng.utah.edu
Tue Sep 2 14:13:36 CDT 2003
OK, I configured the server to run a LSA handler and my normal handler. I
have the server up and running the LSA module, but I cannot get a user
authenticated. I still do not see the password coming through the request.
My configuration and error will be in the body of the message below. You can
see the password still does not show up. I am not certain what the
configuration settings should be for the AuthBy sections. We are using
EAPTTLS with PAP for authentication.
Thank you,
Chris
Config
****************************************************************************
********
# radius.cfg - Chemical and Fuels
# Last updated 08-25-2003
# ----------------------------------------
# General Server Options
# ----------------------------------------
#Foreground
BindAddress 155.99.173.37
AuthPort 1812
AcctPort 1813
IgnoreAcctSignature
Foreground
LogStdout
LogDir c:/Program Files/Radiator
DbDir c:/Program Files/Radiator
PidFile %D/radiusd.pid
DictionaryFile %D/dictionary
# ----------------------------------------
# Logging
# ----------------------------------------
#LogStdout
Trace 4
LogFile %L/radiator.log
# ----------------------------------------
# NAS Devices
# ----------------------------------------
<Client 155.98.0.3>
NoIgnoreDuplicates Access-Request
NoIgnoreDuplicates Access-Challenge
Secret
DupInterval 0
</Client>
<Client 155.98.0.4>
NoIgnoreDuplicates Access-Request
NoIgnoreDuplicates Access-Challenge
Secret
DupInterval 0
</Client>
<Client 155.99.173.37>
NoIgnoreDuplicates Access-Request
NoIgnoreDuplicates Access-Challenge
Secret
</Client>
<Handler TunnelledByPEAP=1>
# Authenticate with Windows LSA
<AuthBy LSA>
Domain CHE
EAPType TTLS
</AuthBy>
</Handler>
<Handler Realm=che.utah.edu>
RejectHasReason
AcctLogFileName %L/che.utah.edu_accounting.log
AcctLogFileFormat %l, %{User-Name}, %{Acct-Session-Id},
%{Acct-Authentic}, %{Acct-Status-Type}, \
%{NAS-Identifier}, %{NAS-IP-Address},
%{NAS-Port}, %{NAS-Port-Type}, %{Timestamp}
#PasswordLogFileName %L/che.utah.edu_login.log
<Log FILE> Trace 5
Filename %L/che.utah.edu_radiator.log
</Log>
<AuthLog FILE>
Filename %L/che.utah.edu_auth.log
LogSuccess 1
LogFailure 1
SuccessFormat %l,%U,%N,%h,OK
FailureFormat %l,%U,%N,%h,FAIL
</AuthLog>
<StatsLog FILE>
Interval 604800
Filename %L/che.utah.edu_stats.log
#Format
</StatsLog>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy ADSI>
#Identifier ADSI
SearchAttribute SAMAccountName
AuthUser %0
AuthFlags 1
BindString LDAP://che-2551-37/dc=che,dc=utah,dc=edu
SSLeayTrace 4
EAPType TTLS
EAPTLS_MaxFragmentSize 1024
EAPTLS_SessionResumption 0
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/cert/root.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile %D/cert/server-cert.pem
EAPTLS_PrivateKeyFile %D/cert/server-cert.pem.txt
EAPTLS_PrivateKeyPassword cheradiuscert
#EAPTLS_RandomFile %D/cert/random
AutoMPPEKeys
</AuthBy>
</Handler>
****************************************************************************
********
End Config
Error
****************************************************************************
********
Tue Sep 2 13:09:31 2003: DEBUG: User found at LDAP://CN=Chris
Fredrickson,OU=CH
E Admins,DC=che,DC=utah,DC=edu
Tue Sep 2 13:09:31 2003: DEBUG: Connecting to namespace: LDAP:
Tue Sep 2 13:09:31 2003: DEBUG: Running OpenDSObject on LDAP://CN=Chris
Fredric
kson,OU=CHE Admins,DC=che,DC=utah,DC=edu
Tue Sep 2 13:09:31 2003: DEBUG: BindString: LDAP://CN=Chris
Fredrickson,OU=CHE
Admins,DC=che,DC=utah,DC=edu authUser: 00303341 password: authFlags: 1
Win32::OLE(0.1403) error 0x8002000f: "Parameter not optional"
in METHOD/PROPERTYGET "OpenDSObject" at
c:/Perl/site/lib/Radius/AuthADSI.pm
line 134
Tue Sep 2 13:09:31 2003: DEBUG: Could not get user object:
Win32::OLE(0.1403) e
rror 0x8002000f: "Parameter not optional"
in METHOD/PROPERTYGET "OpenDSObject"
Tue Sep 2 13:09:31 2003: INFO: Access rejected for 00303341: Could not find
use
r
Tue Sep 2 13:09:31 2003: DEBUG: Packet dump:
*** Sending to 155.98.0.3 port 1814 ....
Code: Access-Reject
Identifier: 70
Authentic: <152><10><0><0><243><11><0><0><134><13><0><0><10>I<0><0>
Attributes:
Reply-Message = "Could not find user"
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of Mike McCauley
Sent: Friday, August 29, 2003 6:46 PM
To: Christian Fredrickson; Radiator
Subject: Re: (RADIATOR) ADSI and EAP
Hello Christian,
On Sat, 30 Aug 2003 09:33 am, Christian Fredrickson wrote:
> When I use EAP authentication using AuthBy ADSI, the password fails. Is
> there any way to get this working?
AuthBy ADSI only works with authentication methods that send a plaintext
password, such as PAP.
If you wish to support PAP, CHAP, MSCHAP, MSCHAPV2, EAP-PEAP-MSCHAPV2 etc,
you
should look at the new AuthBy LSA module. See the Radiator 3.6 patches area
for more information.
Cheers.
>
> Chris
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list