(RADIATOR) RADIATOR and LDAP authentication problem

Paulo Valverde Costa pcosta at ccom.uminho.pt
Thu Feb 5 18:07:02 CST 2004 

Hello Hugh,

the problem was that we had configured Radiator go look for the data to the
LDAP, with the user "Admin Tests (admin) ". teste.uminho.pt,   (at this time
only we were to do tests!)

AuthDN cn=Admin Tests (admin),ou=People,dc=teste,dc=uminho,dc=pt,o=internet
AuthPassword yyy-AdminTestePassword-yyy
BaseDN dc=teste,dc=uminho,dc=pt,o=internet
UsernameAttr mail
PasswordAttr userPassword

and this returned all of the fields, less the userPassword field.

Then we modified this user to "Site Administrator". cc.uminho.pt, and then
we already have access to all of the fields.

AuthDN cn=Site Administrator,ou=People,dc=cc,dc=uminho,dc=pt,o=internet
AuthPassword xxx-AdminSitePassword-xxx

On the other hand, the password comes in Base64, and not in SHA, as we were
think.

Security problem rises, because in Radiator we have to put the  password of
"Site Administrator". cc.uminho.pt in clear text.

Does have some form of putting the password of the site Administrator in the
crypted  form on the  configuration file of RADIATOR?

best regards and thanks,
Paulo

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Paulo Valverde Costa" <pcosta at ccom.uminho.pt>
Cc: <radiator at open.com.au>
Sent: Wednesday, February 04, 2004 9:50 PM
Subject: Re: (RADIATOR) RADIATOR and LDAP authentication problem


>
> Hello Paulo -
>
> It looks to me like you have configured "User-Password" as the LDAP
> field that contains the password, but it is not found.
>
> Are you sure that "User-Password" is correct?
>
> BTW - if you do not want the lookup for DEFAULT to occur you should add
> "NoDefault" to the AuthBy clause:
>
> <AuthBy LDAP2>
> .....
> NoDefault
> .....
> </AuthBy>
>
> You will also have problems with passwords if the shared secrets
> between the client device and the Client clause are not identical.
>
> regards
>
> Hugh
>
>
> On 4 Feb 2004, at 23:41, Paulo Valverde Costa wrote:
>
> > Hello,
> >
> > I'm testing authentication with Radiator 3.7.1 on Netscape Directory
> > Server
> > 4.0 (each on a separate server) and I have trouble with the
> > authentication
> > of VPN users (Cisco 3030 VPN Concentrator).
> >
> > This is a log of the RADIATOR:
> >
> > Wed Feb  4 12:00:36 2004: ERR: Attribute number 195 (vendor 3076) is
> > not
> > defined in your dictionary
> > Wed Feb  4 12:00:36 2004: DEBUG: Packet dump:
> > *** Received from 193.137.17.1 port 1040 ....
> >
> > Packet length = 112
> > 01 26 00 70 d5 c5 f3 a4 71 14 ff 19 fe d5 19 7c
> > 7e 54 ec ba 01 17 75 73 65 72 31 40 74 65 73 74
> > 65 2e 75 6d 69 6e 68 6f 2e 70 74 02 12 17 fd 55
> > 98 93 bf 6e fe 88 32 e5 dc d0 fc 2e a3 05 06 00
> > 00 04 1c 06 06 00 00 00 02 07 06 00 00 00 01 42
> > 0d 31 37 32 2e 31 39 2e 30 2e 34 31 1a 08 00 00
> > 0c 04 c3 02 04 06 c1 89 11 01 3d 06 00 00 00 05
> > Code:       Access-Request
> > Identifier: 38
> > Authentic:
> > <213><197><243><164>q<20><255><25><254><213><25>|~T<236><186>
> > Attributes:
> >         User-Name = "user1 at teste.uminho.pt"
> >         User-Password =
> > "<23><253>U<152><147><191>n<254><136>2<229><220><208><252>.<163>"
> >         NAS-Port = 1052
> >         Service-Type = Framed
> >         Framed-Protocol = PPP
> >         Tunnel-Client-Endpoint = 172.19.0.41
> >         NAS-IP-Address = 193.137.17.1
> >         NAS-Port-Type = Virtual
> >
> > Wed Feb  4 12:00:36 2004: DEBUG: Handling request with Handler
> > 'Realm=/uminho.pt$/'
> > Wed Feb  4 12:00:36 2004: DEBUG:  Deleting session for
> > user1 at teste.uminho.pt, 193.137.17.1, 1052
> > Wed Feb  4 12:00:36 2004: DEBUG: Handling with Radius::AuthLDAP2:
> > ldap_auth
> > Wed Feb  4 12:00:36 2004: INFO: Connecting to 193.137.16.145, port 389
> > Wed Feb  4 12:00:36 2004: INFO: Attempting to bind to LDAP server
> > 193.137.16.145:389)
> > Wed Feb  4 12:00:36 2004: DEBUG: LDAP got result for cn=Utilizador Um
> > (user1),ou=people,dc=teste,dc=uminho,dc=pt,o=internet
> > Wed Feb  4 12:00:36 2004: DEBUG: LDAP got businessCategory:
> > funcionarios
> > Wed Feb  4 12:00:36 2004: ERR: There was no password attribute found
> > for
> > user1 at teste.uminho.pt. Check your LDAP database.
> > Wed Feb  4 12:00:36 2004: DEBUG: Radius::AuthLDAP2 looks for match with
> > user1 at teste.uminho.pt
> > Wed Feb  4 12:00:36 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> > Encrypted
> > password
> > Wed Feb  4 12:00:36 2004: INFO: Connecting to 193.137.16.145, port 389
> > Wed Feb  4 12:00:36 2004: INFO: Attempting to bind to LDAP server
> > 193.137.16.145:389)
> > Wed Feb  4 12:00:36 2004: DEBUG: No entries for DEFAULT found in LDAP
> > database
> > Wed Feb  4 12:00:36 2004: INFO: Access rejected for
> > user1 at teste.uminho.pt:
> > Bad Encrypted password
> > Wed Feb  4 12:00:36 2004: DEBUG: Packet dump:
> > *** Sending to 193.137.17.1 port 1040 ....
> >
> > Packet length = 44
> > 03 26 00 2c 99 41 84 17 50 92 cb 55 c7 eb c9 5d
> > b5 c2 a7 a5 12 18 42 61 64 20 45 6e 63 72 79 70
> > 74 65 64 20 70 61 73 73 77 6f 72 64
> > Code:       Access-Reject
> > Identifier: 38
> > Authentic:
> > <213><197><243><164>q<20><255><25><254><213><25>|~T<236><186>
> > Attributes:
> >         Reply-Message = "Bad Encrypted password"
> >
> >
> >
> >
> >
> > This is a problem of inexistence of the password atribute or the "Bad
> > Encrypted password"
> >
> >
> > I'm sure of my password, and I don't understand why Radiator rejects my
> > requests.
> >
> >
> > How can i pass this problem?
> >
> >
> > an excert of my Radius conf. file is:
> >
> > ...
> > <AuthBy LDAP2>
> >   AutoMPPEKeys
> >   AuthDN cn=Admin Teste
> > (admin),ou=People,dc=teste,dc=uminho,dc=pt,o=internet
> >   AuthPassword teste
> >   BaseDN dc=teste,dc=uminho,dc=pt,o=internet
> >   Description Autenticador por LDAP
> >   Host 172.16.172.20
> >   Identifier ldap_auth
> >   PasswordAttr User-Password
> > #  EncryptedPasswordAttr Encrypted-Password
> > #  EncryptedPasswordAttr User-Password
> > #  EncryptedPasswordAttr userPassword
> > #  PasswordAttr userPassword
> > #  PasswordAttr Password
> > # PasswordAttr User-Password
> >   AuthAttrDef businessCategory, Class, reply
> >   Port 389
> >   UsernameAttr mail
> > </AuthBy>
> >
> > ....
> >
> >
> > best regards,
> > paulo
> >
> > ----------------------------------------------------------------------- 
> > -----
> > Paulo J. Valverde V. Costa
> > Centro de Comunicações - Campus de Gualtar - Universidade do Minho
> > 4710-057 Braga, PORTUGAL
> > Tel.: + 351 253 604023; Fax: + 351 253 604021
> > e-mail: pcosta at ccom.uminho.pt
> > http://www.ccom.uminho.pt
> >
> > ----------------------------------------------------------------------- 
> > -----
> > "Few things are harder to put up with than the annoyance of a good
> > example."
> >                       Mark Twain (1835-1910);
> > ----------------------------------------------------------------------- 
> > -----
> >
> > This email is confidential. If you are not the intended recipient,
> > you must not disclose or use the information contained in it.
> > If you have received this mail in error, please tell us
> > immediately by return email and delete the document.
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list