(RADIATOR) AUTHBY LDAP2
Stephen Ollis
stephen.ollis at hillsong.com
Fri Apr 2 01:25:16 CST 2004
Hugh,
Ah that would be one component that I left out of the e-mail.
RADIATOR is running on a separate Linux system.
Regards,
Steve Ollis
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, 2 April 2004 5:18 PM
> To: Stephen Ollis
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) AUTHBY LDAP2
>
>
> Hello Stephen -
>
> If you are running on Windows I would suggest either AuthBy
> ADSI or AuthBy LSA.
>
> See sections 6.40 and 6.49 in the Radiator 3.9 reference
> manual ("doc/ref.html").
>
> regards
>
> Hugh
>
>
> On 2 Apr 2004, at 16:27, Stephen Ollis wrote:
>
> > Hi List..
> >
> > I'm in the process of evaluation Radiator for a replacement of the
> > cursed MS radius server.
> >
> > I want to re-use Active Directory as the authentication store for
> > Radiator. This works fine.
> > I have Security Groups configured to limit access to
> certain resources.
> >
> > With the BaseDN to OU=Staff,OU=Technology
> Services,DC=hillsong,DC=net
> > lets me authenticate correctly. Changing the BaseDN to
> point to the
> > relevant security group, ie CN=All Hills Dialup Access,OU=Security
> > Groups,OU=Servers,DC=hillsong,DC=net
> > fails.
> >
> >
> >
> > Foreground
> > LogStdout
> > LogDir .
> > DbDir .
> > # User a lower trace level in production systems:
> > Trace 9
> >
> > # You will probably want to add other Clients to suit your
> site, # one
> > for each NAS you want to work with <Client DEFAULT>
> > Secret mysecret
> > DupInterval 0
> > </Client>
> >
> > <Realm DEFAULT>
> > <AuthBy LDAP2>
> > Host hcdc.hillsong.net
> > Version 3
> >
> > # Microsoft AD also listens on port 3268, and
> > # requests received on that port are reported to be
> > # more compliant with standfard LDAP, so
> you may want
> > to use:
> > # Port 3268
> >
> > AuthDN CN=AdminAccount,OU=Staff,OU=Technology
> > Services,DC=hillsong,DC=net
> > AuthPassword passowrd-removed
> > BaseDN OU=Staff,OU=Technology
> > Services,DC=hillsong,DC=net # WORKS!! BaseDN
> > OU=Staff,OU=Technology Services,DC=hillsong,DC=net # WORKS!!
> > BaseDN DC=hillsong,DC=net # DOESN'T! BaseDN
> > CN=All Hills Wireless Access,OU=Security
> > Groups,OU=Servers,DC=hillsong,DC=net
> > ServerChecksPassword
> > UsernameAttr sAMAccountName
> > AuthAttrDef logonHours,MS-Login-Hours,check
> > AcctLogFileName ./detail </Realm>
> >
> >
> >
> > Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 40318 ....
> >
> > Packet length = 99
> > 01 24 00 63 31 32 33 34 35 36 37 38 39 30 31 32
> > 33 34 35 36 01 0f 73 74 65 70 68 65 6e 2e 6f 6c 6c 69 73 06
> 06 00 00
> > 00 02 04 06 cb 3f 9a 01 05
> > 06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39 38
> 37 36 35
> > 34 33 32 31 3d 06 00 00 00 00 02 12 c8 ed 36 c3 ca 38 65 8f
> bc 38 09
> > a0 d8 7d 78 99
> > Code: Access-Request
> > Identifier: 36
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "stephen.ollis"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > User-Password =
> > "<200><237>6<195><202>8e<143><188>8<9><160><216>}x<153>"
> >
> > Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Fri Apr 2 16:25:51 2004: DEBUG: Deleting session for
> stephen.ollis,
> > 203.63.154.1, 1234 Fri Apr 2 16:25:51 2004: DEBUG: Handling with
> > Radius::AuthLDAP2:
> > Fri Apr 2 16:25:51 2004: INFO: Connecting to
> hcdc.hillsong.net, port
> > 389
> > Fri Apr 2 16:25:51 2004: INFO: Attempting to bind to LDAP server
> > hcdc.hillsong.net:389)
> > Fri Apr 2 16:25:51 2004: DEBUG: No entries for
> stephen.ollis found in
> > LDAP database Fri Apr 2 16:25:51 2004: DEBUG:
> Radius::AuthLDAP2 looks
> > for match with stephen.ollis Fri Apr 2 16:25:51 2004: INFO:
> > Connecting to hcdc.hillsong.net, port
> > 389
> > Fri Apr 2 16:25:51 2004: INFO: Attempting to bind to LDAP server
> > hcdc.hillsong.net:389)
> > Fri Apr 2 16:25:51 2004: DEBUG: No entries for DEFAULT
> found in LDAP
> > database Fri Apr 2 16:25:51 2004: INFO: Access rejected for
> > stephen.ollis: No such user Fri Apr 2 16:25:51 2004: DEBUG: Packet
> > dump:
> > *** Sending to 127.0.0.1 port 40318 ....
> >
> > Packet length = 36
> > 03 24 00 24 e2 a5 cc 30 76 b4 d7 12 7f 78 43 26 ee b6 51 65
> 12 10 52
> > 65 71 75 65 73 74 20 44 65 6e 69 65 64
> > Code: Access-Reject
> > Identifier: 36
> > Authentic: 1234567890123456
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> > Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 40318 ....
> >
> > Packet length = 103
> > 04 25 00 67 95 ed ae 14 5a ea 17 7f 97 2f 82 da 4a c9 57 07
> 01 0f 73
> > 74 65 70 68 65 6e 2e 6f 6c 6c 69 73 06 06 00 00 00 02 04 06
> cb 3f 9a
> > 01 05
> > 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30 30 30 30 31 32 33
> 34 28 06
> > 00 00 00 01 1e 0b 31 32 33
> > 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32
> > 31 29 06 00 00 00 00
> > Code: Accounting-Request
> > Identifier: 37
> > Authentic:
> > <149><237><174><20>Z<234><23><127><151>/<130><218>J<201>W<7>
> > Attributes:
> > User-Name = "stephen.ollis"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > NAS-Port-Type = Async
> > Acct-Session-Id = "00001234"
> > Acct-Status-Type = Start
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > Acct-Delay-Time = 0
> >
> > Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Fri Apr 2 16:25:51 2004: DEBUG: Adding session for stephen.ollis,
> > 203.63.154.1, 1234 Fri Apr 2 16:25:51 2004: DEBUG: Handling with
> > Radius::AuthLDAP2:
> > Fri Apr 2 16:25:51 2004: DEBUG: Accounting accepted Fri Apr 2
> > 16:25:51 2004: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 40318 ....
> >
> > Packet length = 20
> > 05 25 00 14 17 3d 77 c6 4f 1a 4c 49 7e 53 14 e5
> > 04 49 1d 75
> > Code: Accounting-Response
> > Identifier: 37
> > Authentic:
> > <149><237><174><20>Z<234><23><127><151>/<130><218>J<201>W<7>
> > Attributes:
> >
> > Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 40318 ....
> >
> > Packet length = 121
> > 04 26 00 79 86 83 91 37 85 3d 22 cc 6a ce bb 7e
> > 41 35 b8 00 01 0f 73 74 65 70 68 65 6e 2e 6f 6c 6c 69 73 06
> 06 00 00
> > 00 02 04 06 cb 3f 9a 01 05
> > 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30 30 30 30 31 32 33
> 34 28 06
> > 00 00 00 02 1e 0b 31 32 33
> > 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32
> > 31 29 06 00 00 00 00 2e 06 00 00 03 e8 2a 06 00 00 4e 20 2b
> 06 00 00
> > 75 30
> > Code: Accounting-Request
> > Identifier: 38
> > Authentic: <134><131><145>7<133>="<204>j<206><187>~A5<184><0>
> > Attributes:
> > User-Name = "stephen.ollis"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > NAS-Port-Type = Async
> > Acct-Session-Id = "00001234"
> > Acct-Status-Type = Stop
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > Acct-Delay-Time = 0
> > Acct-Session-Time = 1000
> > Acct-Input-Octets = 20000
> > Acct-Output-Octets = 30000
> >
> > Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Fri Apr 2 16:25:51 2004: DEBUG: Deleting session for
> stephen.ollis,
> > 203.63.154.1, 1234 Fri Apr 2 16:25:51 2004: DEBUG: Handling with
> > Radius::AuthLDAP2:
> > Fri Apr 2 16:25:51 2004: DEBUG: Accounting accepted Fri Apr 2
> > 16:25:51 2004: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 40318 ....
> >
> > Packet length = 20
> > 05 26 00 14 34 df f7 5b d6 4f ee 2e 0f df fa 63
> > e2 96 bd 88
> > Code: Accounting-Response
> > Identifier: 38
> > Authentic: <134><131><145>7<133>="<204>j<206><187>~A5<184><0>
> > Attributes:
> >
> >
> > Thanks
> >
> > Stephen Ollis
> > Manager, Technology Services
> >
> >
> >
> >
> >
> > The material contained in this email may be confidential,
> and may also
> > be the subject of copyright and/or privileged information.
> If you are
> > not the intended recipient, any use, disclosure or copying of this
> > document is prohibited. If you have received this document
> in error,
> > please advise the sender and delete the document.
> >
> > This email communication does not create or vary any contractual
> > relationship between Hillsong Church and you. Internet
> communications
> > are not secure and accordingly Hillsong Church does not accept any
> > legal liability for the contents of this message.
> >
> > Please note that neither Hillsong Church nor the sender accepts any
> > responsibility for viruses and it is your responsibility to
> scan the
> > email and any attachments.
> >
> > Hillsong Church
> > www.hillsong.com
> > Hillsong Church contact details
> > <image.tiff>
> >
>
> NB: have you included a copy of your configuration file (no
> secrets), together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS
> server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical,
> extensible, flexible with hardware, software, platform and
> database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
________________________________________________________________________
The material contained in this email may be confidential, and may also
be the subject of copyright and/or privileged information. If you are
not the intended recipient, any use, disclosure or copying of this
document is prohibited. If you have received this document in error,
please advise the sender and delete the document.
This email communication does not create or vary any contractual
relationship between Hillsong Church and you. Internet communications
are not secure and accordingly Hillsong Church does not accept any
legal liability for the contents of this message.
Please note that neither Hillsong Church nor the sender accepts any
responsibility for viruses and it is your responsibility to scan the
email and any attachments.
Hillsong Church
www.hillsong.com
________________________________________________________________________
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list