(RADIATOR) AUTHBY LDAP2
Stephen Ollis
stephen.ollis at hillsong.com
Fri Apr 2 00:27:01 CST 2004
Hi List..
I'm in the process of evaluation Radiator for a replacement of the
cursed MS radius server.
I want to re-use Active Directory as the authentication store for
Radiator. This works fine.
I have Security Groups configured to limit access to certain resources.
With the BaseDN to OU=Staff,OU=Technology Services,DC=hillsong,DC=net
lets me
authenticate correctly. Changing the BaseDN to point to the relevant
security group, ie
CN=All Hills Dialup Access,OU=Security
Groups,OU=Servers,DC=hillsong,DC=net
fails.
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 9
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Realm DEFAULT>
<AuthBy LDAP2>
Host hcdc.hillsong.net
Version 3
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standfard LDAP, so you may want to
use:
# Port 3268
AuthDN CN=AdminAccount,OU=Staff,OU=Technology
Services,DC=hillsong,DC=net
AuthPassword passowrd-removed
BaseDN OU=Staff,OU=Technology
Services,DC=hillsong,DC=net
# WORKS!! BaseDN OU=Staff,OU=Technology
Services,DC=hillsong,DC=net
# WORKS!! BaseDN DC=hillsong,DC=net
# DOESN'T! BaseDN CN=All Hills Wireless Access,OU=Security
Groups,OU=Servers,DC=hillsong,DC=net
ServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
AcctLogFileName ./detail
</Realm>
Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 40318 ....
Packet length = 99
01 24 00 63 31 32 33 34 35 36 37 38 39 30 31 32
33 34 35 36 01 0f 73 74 65 70 68 65 6e 2e 6f 6c
6c 69 73 06 06 00 00 00 02 04 06 cb 3f 9a 01 05
06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37 38 39
1f 0b 39 38 37 36 35 34 33 32 31 3d 06 00 00 00
00 02 12 c8 ed 36 c3 ca 38 65 8f bc 38 09 a0 d8
7d 78 99
Code: Access-Request
Identifier: 36
Authentic: 1234567890123456
Attributes:
User-Name = "stephen.ollis"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<200><237>6<195><202>8e<143><188>8<9><160><216>}x<153>"
Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Apr 2 16:25:51 2004: DEBUG: Deleting session for stephen.ollis,
203.63.154.1, 1234
Fri Apr 2 16:25:51 2004: DEBUG: Handling with Radius::AuthLDAP2:
Fri Apr 2 16:25:51 2004: INFO: Connecting to hcdc.hillsong.net, port
389
Fri Apr 2 16:25:51 2004: INFO: Attempting to bind to LDAP server
hcdc.hillsong.net:389)
Fri Apr 2 16:25:51 2004: DEBUG: No entries for stephen.ollis found in
LDAP database
Fri Apr 2 16:25:51 2004: DEBUG: Radius::AuthLDAP2 looks for match with
stephen.ollis
Fri Apr 2 16:25:51 2004: INFO: Connecting to hcdc.hillsong.net, port
389
Fri Apr 2 16:25:51 2004: INFO: Attempting to bind to LDAP server
hcdc.hillsong.net:389)
Fri Apr 2 16:25:51 2004: DEBUG: No entries for DEFAULT found in LDAP
database
Fri Apr 2 16:25:51 2004: INFO: Access rejected for stephen.ollis: No
such user
Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 40318 ....
Packet length = 36
03 24 00 24 e2 a5 cc 30 76 b4 d7 12 7f 78 43 26
ee b6 51 65 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 36
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 40318 ....
Packet length = 103
04 25 00 67 95 ed ae 14 5a ea 17 7f 97 2f 82 da
4a c9 57 07 01 0f 73 74 65 70 68 65 6e 2e 6f 6c
6c 69 73 06 06 00 00 00 02 04 06 cb 3f 9a 01 05
06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30 30 30
30 31 32 33 34 28 06 00 00 00 01 1e 0b 31 32 33
34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32
31 29 06 00 00 00 00
Code: Accounting-Request
Identifier: 37
Authentic: <149><237><174><20>Z<234><23><127><151>/<130><218>J<201>W<7>
Attributes:
User-Name = "stephen.ollis"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Apr 2 16:25:51 2004: DEBUG: Adding session for stephen.ollis,
203.63.154.1, 1234
Fri Apr 2 16:25:51 2004: DEBUG: Handling with Radius::AuthLDAP2:
Fri Apr 2 16:25:51 2004: DEBUG: Accounting accepted
Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 40318 ....
Packet length = 20
05 25 00 14 17 3d 77 c6 4f 1a 4c 49 7e 53 14 e5
04 49 1d 75
Code: Accounting-Response
Identifier: 37
Authentic: <149><237><174><20>Z<234><23><127><151>/<130><218>J<201>W<7>
Attributes:
Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 40318 ....
Packet length = 121
04 26 00 79 86 83 91 37 85 3d 22 cc 6a ce bb 7e
41 35 b8 00 01 0f 73 74 65 70 68 65 6e 2e 6f 6c
6c 69 73 06 06 00 00 00 02 04 06 cb 3f 9a 01 05
06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30 30 30
30 31 32 33 34 28 06 00 00 00 02 1e 0b 31 32 33
34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32
31 29 06 00 00 00 00 2e 06 00 00 03 e8 2a 06 00
00 4e 20 2b 06 00 00 75 30
Code: Accounting-Request
Identifier: 38
Authentic: <134><131><145>7<133>="<204>j<206><187>~A5<184><0>
Attributes:
User-Name = "stephen.ollis"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Apr 2 16:25:51 2004: DEBUG: Deleting session for stephen.ollis,
203.63.154.1, 1234
Fri Apr 2 16:25:51 2004: DEBUG: Handling with Radius::AuthLDAP2:
Fri Apr 2 16:25:51 2004: DEBUG: Accounting accepted
Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 40318 ....
Packet length = 20
05 26 00 14 34 df f7 5b d6 4f ee 2e 0f df fa 63
e2 96 bd 88
Code: Accounting-Response
Identifier: 38
Authentic: <134><131><145>7<133>="<204>j<206><187>~A5<184><0>
Attributes:
Thanks
Stephen Ollis
Manager, Technology Services
________________________________________________________________________
The material contained in this email may be confidential, and may also
be the subject of copyright and/or privileged information. If you are
not the intended recipient, any use, disclosure or copying of this
document is prohibited. If you have received this document in error,
please advise the sender and delete the document.
This email communication does not create or vary any contractual
relationship between Hillsong Church and you. Internet communications
are not secure and accordingly Hillsong Church does not accept any
legal liability for the contents of this message.
Please note that neither Hillsong Church nor the sender accepts any
responsibility for viruses and it is your responsibility to scan the
email and any attachments.
Hillsong Church
www.hillsong.com
________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040402/5a8e7990/attachment.html>
More information about the radiator
mailing list