(RADIATOR) AuthBy LSA
Terry Simons
galimore at mac.com
Tue Jan 13 23:20:19 CST 2004
Russell,
The bug you're referring to with OS X clients is simple to get around
and have PAP work.
Here's the deal:
When you set up your profile, *ONLY* edit the settings for that
connection *inside* the "Edit Configurations..." window.
If you create a connection, then change any of the settings in the
regular Internet Connect 802.1x window, it will prompt you if you want
to save then changes. If you say yes, the TTLS inner authentication
changes back to MSCHAPv2. As long as you only edit the profile inside
the Edit Configurations window, it won't switch back to MSCHAPv2. ;)
I reported this bug to Apple, but they haven't fixed it yet.
The problem with using MSCHAPv2 is that you need to have the passwords
on your server set up to be reversibly encrypted (on the AD, that is).
This is due to the way the MSCHAPv2 hash is calculated during
authentication. (The server has to have access to the clear text
password to calculate the MSCHAPv2 hash, which is different for every
authentication).
We have many students using TTLS->PAP with Panther, and we haven't had
any complaints. I also use it quite a bit.
The nice thing about TTLS->PAP is that you can leave your passwords
encrypted/hashed/whatever on the server and not have to worry about
that being a security vulnerability.
I've done extensive testing with Radiator and the Mac OS X Panther
client, so if you have any questions feel free to let me know.
- Terry
On Jan 13, 2004, at 8:33 PM, Russell Owen wrote:
> Hi All,
> Does anyone know if there is a way to get AuthBy LSA to act in a
> similar method to AuthBy ADSI against AD and also check group
> membership. I had this working perfectly with AuthBy ADSI and the
> GroupRequired command using PAP, but I now need to use MSCHAP-V2 due
> to a bug with OSX always defaulting to MSCHAP-v2.
>
> I have attached part of my config file. What I need to acheive is
> authentication against AD that checks group membership and
> assigns VLAN info (using AddToReply) based on group membership, that
> also uses TTLS-MSCHAPv2 (to get arround a bug with the crappy OSX
> clients). The attached config works fine with AuthBy ADSI, but only
> when using TTLS-PAP. I need to somehow convert this to AuthBy LSA, so
> I can use TTLS-MSCHAPv2.
>
> Any assistance would be geatly appreciated.
> Russ.
>
>
> <Handler Client-Identifier=Wireless>
> RejectHasReason
> AuthByPolicy ContinueWhileReject
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy ADSI>
> Identifier Staff
> EAPTLS_SessionResumption 0
> AuthUser %0 at intheforrest.wa.au
> SearchAttribute userPrincipalName
> BindString LDAP://ou=staff,dc=intheforrest,dc=wa,dc=au
> GroupRequired CN=Staff
> # AddToReply Cisco-AVpair="ssid=Staff"
> AddToReply Tunnel-Type="VLAN" \
> Tunnel-Medium-Type="802" \
> Tunnel-Private-Group-ID="2"
> </AuthBy>
> <AuthBy ADSI>
> Identifier Students
> EAPTLS_SessionResumption 0
> AuthUser %0 at intheforrest.wa.au
> SearchAttribute userPrincipalName
> BindString LDAP://ou=students,dc=intheforrest,dc=wa,dc=au
> GroupRequired CN=Students
> # AddToReply Cisco-AVpair="ssid=Student"
> AddToReply Tunnel-Type="VLAN" \
> Tunnel-Medium-Type="802" \
> Tunnel-Private-Group-ID="1"
> </AuthBy>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 3602 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040113/0c59a3e1/attachment.bin>
More information about the radiator
mailing list