(RADIATOR) AuthBy LSA
Russell Owen
rowen at solutionsit.com.au
Tue Jan 13 23:45:54 CST 2004
Excellent, that seems to work quite nicely. Thanks.
Another problem I am noticing (this is more of an apple thing, but I'll post it here since the ball is already rolling) is that if I log in as User1 (who is an administrative user) and create the connection to the 802.1x network and leave the username and password blank (I need the Mac to prompt for a username and password before connecting), connect to the network and log off, then log back in as User2 (who is not an administrative user) I am never prompted for a Username or password to connect to the 802.1x network (I think this may be related to the other bug you mentioned) as a different user. If I open the "Internet Connect" menu, the 802.1x box is not available to connect or disconnect the network.
I need this to work as we have a client in a school environment who has different students using the laptops at different times. We need each student to log onto the network using there own credentials so we can keep track of who is using what...
Any suggestions on how to get this one worked out?
Again, Thanks for your help.
Russ.
________________________________
From: Terry Simons [mailto:galimore at mac.com]
Sent: Wed 14/01/2004 1:20 PM
To: Russell Owen
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) AuthBy LSA
Russell,
The bug you're referring to with OS X clients is simple to get around and have PAP work.
Here's the deal:
When you set up your profile, *ONLY* edit the settings for that connection *inside* the "Edit Configurations..." window.
If you create a connection, then change any of the settings in the regular Internet Connect 802.1x window, it will prompt you if you want to save then changes. If you say yes, the TTLS inner authentication changes back to MSCHAPv2. As long as you only edit the profile inside the Edit Configurations window, it won't switch back to MSCHAPv2. ;)
I reported this bug to Apple, but they haven't fixed it yet.
The problem with using MSCHAPv2 is that you need to have the passwords on your server set up to be reversibly encrypted (on the AD, that is). This is due to the way the MSCHAPv2 hash is calculated during authentication. (The server has to have access to the clear text password to calculate the MSCHAPv2 hash, which is different for every authentication).
We have many students using TTLS->PAP with Panther, and we haven't had any complaints. I also use it quite a bit.
The nice thing about TTLS->PAP is that you can leave your passwords encrypted/hashed/whatever on the server and not have to worry about that being a security vulnerability.
I've done extensive testing with Radiator and the Mac OS X Panther client, so if you have any questions feel free to let me know.
- Terry
On Jan 13, 2004, at 8:33 PM, Russell Owen wrote:
Hi All,
Does anyone know if there is a way to get AuthBy LSA to act in a similar method to AuthBy ADSI against AD and also check group membership. I had this working perfectly with AuthBy ADSI and the GroupRequired command using PAP, but I now need to use MSCHAP-V2 due to a bug with OSX always defaulting to MSCHAP-v2.
I have attached part of my config file. What I need to acheive is authentication against AD that checks group membership and assigns VLAN info (using AddToReply) based on group membership, that also uses TTLS-MSCHAPv2 (to get arround a bug with the crappy OSX clients). The attached config works fine with AuthBy ADSI, but only when using TTLS-PAP. I need to somehow convert this to AuthBy LSA, so I can use TTLS-MSCHAPv2.
Any assistance would be geatly appreciated.
Russ.
<Handler Client-Identifier=Wireless>
RejectHasReason
AuthByPolicy ContinueWhileReject
RewriteUsername s/^([^@]+).*/$1/
<AuthBy ADSI>
Identifier Staff
EAPTLS_SessionResumption 0
AuthUser %0 at intheforrest.wa.au
SearchAttribute userPrincipalName
BindString LDAP://ou=staff,dc=intheforrest,dc=wa,dc=au
GroupRequired CN=Staff
# AddToReply Cisco-AVpair="ssid=Staff"
AddToReply Tunnel-Type="VLAN" \
Tunnel-Medium-Type="802" \
Tunnel-Private-Group-ID="2"
</AuthBy>
<AuthBy ADSI>
Identifier Students
EAPTLS_SessionResumption 0
AuthUser %0 at intheforrest.wa.au
SearchAttribute userPrincipalName
BindString LDAP://ou=students,dc=intheforrest,dc=wa,dc=au
GroupRequired CN=Students
# AddToReply Cisco-AVpair="ssid=Student"
AddToReply Tunnel-Type="VLAN" \
Tunnel-Medium-Type="802" \
Tunnel-Private-Group-ID="1"
</AuthBy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040114/817976b3/attachment.html>
More information about the radiator
mailing list