(RADIATOR) ADSI and EAP
Hugh Irvine
hugh at open.com.au
Wed Sep 3 01:56:30 CDT 2003
Hello Chris -
I am not quite sure I understand your configuration file.
You say below that you are using EAPTTLS, however your configuration
file shows this:
<Handler TunneledByPEAP=1>
.....
</Handler>
You also still have the <AuthBy ADSI> clause in your default Handler,
which is what is giving the error messages.
Your configuration file should look more like this:
<Handler TunnelledByTTLS=1>
....
# this will deal with the inner authentication
<AuthBy LSA>
....
</AuthBy>
.....
</Handler>
<Handler ....>
.....
<AuthBy FILE>
.....
# this will only check for "anonymous"
.....
# must include EAP configuration details
.....
</AuthBy>
.....
</Handler>
regards
Hugh
On Wednesday, Sep 3, 2003, at 05:13 Australia/Melbourne, Christian
Fredrickson wrote:
> OK, I configured the server to run a LSA handler and my normal
> handler. I
> have the server up and running the LSA module, but I cannot get a user
> authenticated. I still do not see the password coming through the
> request.
> My configuration and error will be in the body of the message below.
> You can
> see the password still does not show up. I am not certain what the
> configuration settings should be for the AuthBy sections. We are using
> EAPTTLS with PAP for authentication.
>
> Thank you,
>
> Chris
>
> Config
> ***********************************************************************
> *****
> ********
> # radius.cfg - Chemical and Fuels
> # Last updated 08-25-2003
>
>
>
> # ----------------------------------------
> # General Server Options
> # ----------------------------------------
> #Foreground
> BindAddress 155.99.173.37
> AuthPort 1812
> AcctPort 1813
>
> IgnoreAcctSignature
>
>
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
>
> PidFile %D/radiusd.pid
> DictionaryFile %D/dictionary
>
>
>
> # ----------------------------------------
> # Logging
> # ----------------------------------------
> #LogStdout
> Trace 4
> LogFile %L/radiator.log
>
> # ----------------------------------------
> # NAS Devices
> # ----------------------------------------
>
> <Client 155.98.0.3>
> NoIgnoreDuplicates Access-Request
> NoIgnoreDuplicates Access-Challenge
> Secret
> DupInterval 0
> </Client>
>
> <Client 155.98.0.4>
> NoIgnoreDuplicates Access-Request
> NoIgnoreDuplicates Access-Challenge
> Secret
> DupInterval 0
> </Client>
>
> <Client 155.99.173.37>
> NoIgnoreDuplicates Access-Request
> NoIgnoreDuplicates Access-Challenge
> Secret
> </Client>
>
> <Handler TunnelledByPEAP=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
> Domain CHE
> EAPType TTLS
> </AuthBy>
> </Handler>
>
> <Handler Realm=che.utah.edu>
> RejectHasReason
> AcctLogFileName %L/che.utah.edu_accounting.log
> AcctLogFileFormat %l, %{User-Name}, %{Acct-Session-Id},
> %{Acct-Authentic}, %{Acct-Status-Type}, \
> %{NAS-Identifier}, %{NAS-IP-Address},
> %{NAS-Port}, %{NAS-Port-Type}, %{Timestamp}
> #PasswordLogFileName %L/che.utah.edu_login.log
>
> <Log FILE> Trace 5
> Filename %L/che.utah.edu_radiator.log
> </Log>
>
> <AuthLog FILE>
> Filename %L/che.utah.edu_auth.log
> LogSuccess 1
> LogFailure 1
> SuccessFormat %l,%U,%N,%h,OK
> FailureFormat %l,%U,%N,%h,FAIL
> </AuthLog>
>
> <StatsLog FILE>
> Interval 604800
> Filename %L/che.utah.edu_stats.log
> #Format
> </StatsLog>
>
>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy ADSI>
> #Identifier ADSI
> SearchAttribute SAMAccountName
> AuthUser %0
> AuthFlags 1
> BindString LDAP://che-2551-37/dc=che,dc=utah,dc=edu
> SSLeayTrace 4
> EAPType TTLS
> EAPTLS_MaxFragmentSize 1024
> EAPTLS_SessionResumption 0
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile %D/cert/root.pem
> EAPTLS_CertificateType PEM
> EAPTLS_CertificateFile %D/cert/server-cert.pem
> EAPTLS_PrivateKeyFile %D/cert/server-cert.pem.txt
> EAPTLS_PrivateKeyPassword cheradiuscert
> #EAPTLS_RandomFile %D/cert/random
> AutoMPPEKeys
> </AuthBy>
>
> </Handler>
>
> ***********************************************************************
> *****
> ********
> End Config
>
> Error
> ***********************************************************************
> *****
> ********
>
> Tue Sep 2 13:09:31 2003: DEBUG: User found at LDAP://CN=Chris
> Fredrickson,OU=CH
> E Admins,DC=che,DC=utah,DC=edu
> Tue Sep 2 13:09:31 2003: DEBUG: Connecting to namespace: LDAP:
> Tue Sep 2 13:09:31 2003: DEBUG: Running OpenDSObject on
> LDAP://CN=Chris
> Fredric
> kson,OU=CHE Admins,DC=che,DC=utah,DC=edu
> Tue Sep 2 13:09:31 2003: DEBUG: BindString: LDAP://CN=Chris
> Fredrickson,OU=CHE
> Admins,DC=che,DC=utah,DC=edu authUser: 00303341 password: authFlags:
> 1
> Win32::OLE(0.1403) error 0x8002000f: "Parameter not optional"
> in METHOD/PROPERTYGET "OpenDSObject" at
> c:/Perl/site/lib/Radius/AuthADSI.pm
> line 134
> Tue Sep 2 13:09:31 2003: DEBUG: Could not get user object:
> Win32::OLE(0.1403) e
> rror 0x8002000f: "Parameter not optional"
> in METHOD/PROPERTYGET "OpenDSObject"
> Tue Sep 2 13:09:31 2003: INFO: Access rejected for 00303341: Could
> not find
> use
> r
> Tue Sep 2 13:09:31 2003: DEBUG: Packet dump:
> *** Sending to 155.98.0.3 port 1814 ....
> Code: Access-Reject
> Identifier: 70
> Authentic: <152><10><0><0><243><11><0><0><134><13><0><0><10>I<0><0>
> Attributes:
> Reply-Message = "Could not find user"
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Mike McCauley
> Sent: Friday, August 29, 2003 6:46 PM
> To: Christian Fredrickson; Radiator
> Subject: Re: (RADIATOR) ADSI and EAP
>
>
> Hello Christian,
>
> On Sat, 30 Aug 2003 09:33 am, Christian Fredrickson wrote:
>> When I use EAP authentication using AuthBy ADSI, the password fails.
>> Is
>> there any way to get this working?
>
> AuthBy ADSI only works with authentication methods that send a
> plaintext
> password, such as PAP.
> If you wish to support PAP, CHAP, MSCHAP, MSCHAPV2, EAP-PEAP-MSCHAPV2
> etc,
> you
> should look at the new AuthBy LSA module. See the Radiator 3.6 patches
> area
> for more information.
>
> Cheers.
>
>>
>> Chris
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list