(RADIATOR) RADIATOR and LDAP authentication problem

Hugh Irvine hugh at open.com.au
Thu Feb 5 18:17:20 CST 2004 

Hello Paulo -

No there is no way to encrypt the Site Administrator password in the  
Radiator configuration file.

Perhaps you could try to use the "ServerChecksPassword" option?

See section 6.35.18 in the Radiator 3.8 reference manual  
("doc/ref.html").

regards

Hugh


On 6 Feb 2004, at 11:07, Paulo Valverde Costa wrote:

> Hello Hugh,
>
> the problem was that we had configured Radiator go look for the data  
> to the
> LDAP, with the user "Admin Tests (admin) ". teste.uminho.pt,   (at  
> this time
> only we were to do tests!)
>
> AuthDN cn=Admin Tests  
> (admin),ou=People,dc=teste,dc=uminho,dc=pt,o=internet
> AuthPassword yyy-AdminTestePassword-yyy
> BaseDN dc=teste,dc=uminho,dc=pt,o=internet
> UsernameAttr mail
> PasswordAttr userPassword
>
> and this returned all of the fields, less the userPassword field.
>
> Then we modified this user to "Site Administrator". cc.uminho.pt, and  
> then
> we already have access to all of the fields.
>
> AuthDN cn=Site Administrator,ou=People,dc=cc,dc=uminho,dc=pt,o=internet
> AuthPassword xxx-AdminSitePassword-xxx
>
> On the other hand, the password comes in Base64, and not in SHA, as we  
> were
> think.
>
> Security problem rises, because in Radiator we have to put the   
> password of
> "Site Administrator". cc.uminho.pt in clear text.
>
> Does have some form of putting the password of the site Administrator  
> in the
> crypted  form on the  configuration file of RADIATOR?
>
> best regards and thanks,
> Paulo
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Paulo Valverde Costa" <pcosta at ccom.uminho.pt>
> Cc: <radiator at open.com.au>
> Sent: Wednesday, February 04, 2004 9:50 PM
> Subject: Re: (RADIATOR) RADIATOR and LDAP authentication problem
>
>
>>
>> Hello Paulo -
>>
>> It looks to me like you have configured "User-Password" as the LDAP
>> field that contains the password, but it is not found.
>>
>> Are you sure that "User-Password" is correct?
>>
>> BTW - if you do not want the lookup for DEFAULT to occur you should  
>> add
>> "NoDefault" to the AuthBy clause:
>>
>> <AuthBy LDAP2>
>> .....
>> NoDefault
>> .....
>> </AuthBy>
>>
>> You will also have problems with passwords if the shared secrets
>> between the client device and the Client clause are not identical.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 4 Feb 2004, at 23:41, Paulo Valverde Costa wrote:
>>
>>> Hello,
>>>
>>> I'm testing authentication with Radiator 3.7.1 on Netscape Directory
>>> Server
>>> 4.0 (each on a separate server) and I have trouble with the
>>> authentication
>>> of VPN users (Cisco 3030 VPN Concentrator).
>>>
>>> This is a log of the RADIATOR:
>>>
>>> Wed Feb  4 12:00:36 2004: ERR: Attribute number 195 (vendor 3076) is
>>> not
>>> defined in your dictionary
>>> Wed Feb  4 12:00:36 2004: DEBUG: Packet dump:
>>> *** Received from 193.137.17.1 port 1040 ....
>>>
>>> Packet length = 112
>>> 01 26 00 70 d5 c5 f3 a4 71 14 ff 19 fe d5 19 7c
>>> 7e 54 ec ba 01 17 75 73 65 72 31 40 74 65 73 74
>>> 65 2e 75 6d 69 6e 68 6f 2e 70 74 02 12 17 fd 55
>>> 98 93 bf 6e fe 88 32 e5 dc d0 fc 2e a3 05 06 00
>>> 00 04 1c 06 06 00 00 00 02 07 06 00 00 00 01 42
>>> 0d 31 37 32 2e 31 39 2e 30 2e 34 31 1a 08 00 00
>>> 0c 04 c3 02 04 06 c1 89 11 01 3d 06 00 00 00 05
>>> Code:       Access-Request
>>> Identifier: 38
>>> Authentic:
>>> <213><197><243><164>q<20><255><25><254><213><25>|~T<236><186>
>>> Attributes:
>>>         User-Name = "user1 at teste.uminho.pt"
>>>         User-Password =
>>> "<23><253>U<152><147><191>n<254><136>2<229><220><208><252>.<163>"
>>>         NAS-Port = 1052
>>>         Service-Type = Framed
>>>         Framed-Protocol = PPP
>>>         Tunnel-Client-Endpoint = 172.19.0.41
>>>         NAS-IP-Address = 193.137.17.1
>>>         NAS-Port-Type = Virtual
>>>
>>> Wed Feb  4 12:00:36 2004: DEBUG: Handling request with Handler
>>> 'Realm=/uminho.pt$/'
>>> Wed Feb  4 12:00:36 2004: DEBUG:  Deleting session for
>>> user1 at teste.uminho.pt, 193.137.17.1, 1052
>>> Wed Feb  4 12:00:36 2004: DEBUG: Handling with Radius::AuthLDAP2:
>>> ldap_auth
>>> Wed Feb  4 12:00:36 2004: INFO: Connecting to 193.137.16.145, port  
>>> 389
>>> Wed Feb  4 12:00:36 2004: INFO: Attempting to bind to LDAP server
>>> 193.137.16.145:389)
>>> Wed Feb  4 12:00:36 2004: DEBUG: LDAP got result for cn=Utilizador Um
>>> (user1),ou=people,dc=teste,dc=uminho,dc=pt,o=internet
>>> Wed Feb  4 12:00:36 2004: DEBUG: LDAP got businessCategory:
>>> funcionarios
>>> Wed Feb  4 12:00:36 2004: ERR: There was no password attribute found
>>> for
>>> user1 at teste.uminho.pt. Check your LDAP database.
>>> Wed Feb  4 12:00:36 2004: DEBUG: Radius::AuthLDAP2 looks for match  
>>> with
>>> user1 at teste.uminho.pt
>>> Wed Feb  4 12:00:36 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>> Encrypted
>>> password
>>> Wed Feb  4 12:00:36 2004: INFO: Connecting to 193.137.16.145, port  
>>> 389
>>> Wed Feb  4 12:00:36 2004: INFO: Attempting to bind to LDAP server
>>> 193.137.16.145:389)
>>> Wed Feb  4 12:00:36 2004: DEBUG: No entries for DEFAULT found in LDAP
>>> database
>>> Wed Feb  4 12:00:36 2004: INFO: Access rejected for
>>> user1 at teste.uminho.pt:
>>> Bad Encrypted password
>>> Wed Feb  4 12:00:36 2004: DEBUG: Packet dump:
>>> *** Sending to 193.137.17.1 port 1040 ....
>>>
>>> Packet length = 44
>>> 03 26 00 2c 99 41 84 17 50 92 cb 55 c7 eb c9 5d
>>> b5 c2 a7 a5 12 18 42 61 64 20 45 6e 63 72 79 70
>>> 74 65 64 20 70 61 73 73 77 6f 72 64
>>> Code:       Access-Reject
>>> Identifier: 38
>>> Authentic:
>>> <213><197><243><164>q<20><255><25><254><213><25>|~T<236><186>
>>> Attributes:
>>>         Reply-Message = "Bad Encrypted password"
>>>
>>>
>>>
>>>
>>>
>>> This is a problem of inexistence of the password atribute or the "Bad
>>> Encrypted password"
>>>
>>>
>>> I'm sure of my password, and I don't understand why Radiator rejects  
>>> my
>>> requests.
>>>
>>>
>>> How can i pass this problem?
>>>
>>>
>>> an excert of my Radius conf. file is:
>>>
>>> ...
>>> <AuthBy LDAP2>
>>>   AutoMPPEKeys
>>>   AuthDN cn=Admin Teste
>>> (admin),ou=People,dc=teste,dc=uminho,dc=pt,o=internet
>>>   AuthPassword teste
>>>   BaseDN dc=teste,dc=uminho,dc=pt,o=internet
>>>   Description Autenticador por LDAP
>>>   Host 172.16.172.20
>>>   Identifier ldap_auth
>>>   PasswordAttr User-Password
>>> #  EncryptedPasswordAttr Encrypted-Password
>>> #  EncryptedPasswordAttr User-Password
>>> #  EncryptedPasswordAttr userPassword
>>> #  PasswordAttr userPassword
>>> #  PasswordAttr Password
>>> # PasswordAttr User-Password
>>>   AuthAttrDef businessCategory, Class, reply
>>>   Port 389
>>>   UsernameAttr mail
>>> </AuthBy>
>>>
>>> ....
>>>
>>>
>>> best regards,
>>> paulo
>>>
>>> --------------------------------------------------------------------- 
>>> --
>>> -----
>>> Paulo J. Valverde V. Costa
>>> Centro de Comunicações - Campus de Gualtar - Universidade do Minho
>>> 4710-057 Braga, PORTUGAL
>>> Tel.: + 351 253 604023; Fax: + 351 253 604021
>>> e-mail: pcosta at ccom.uminho.pt
>>> http://www.ccom.uminho.pt
>>>
>>> --------------------------------------------------------------------- 
>>> --
>>> -----
>>> "Few things are harder to put up with than the annoyance of a good
>>> example."
>>>                       Mark Twain (1835-1910);
>>> --------------------------------------------------------------------- 
>>> --
>>> -----
>>>
>>> This email is confidential. If you are not the intended recipient,
>>> you must not disclose or use the information contained in it.
>>> If you have received this mail in error, please tell us
>>> immediately by return email and delete the document.
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list