(RADIATOR) Help with configure radius.cfg with eap and ldap

Hugh Irvine hugh at open.com.au
Thu Jan 15 17:09:58 CST 2004 

Hello Andy -

Your configuration file is not correct - you should add an EAPType line 
to the AuthBy LDAP2 and remove the AuthBy FILE.

Something like this:

############  radius.cfg
#Trace 3
Trace 5
Foreground
LogDir /usr/local/radius/log
DbDir /usr/local/radius/etc
LogFile %L/log.radiusd.eap
PidFile %L/../run/radiusd.pid
AuthPort 1812
AcctPort 1813
<Client DEFAULT>
         Secret                  abcd1234dcba
         IgnoreAcctSignature
#       DefaultRealm            callid
</Client>

<Realm DEFAULT>
         RewriteUsername s/(.*)@.*$/$1/
         <AuthBy LDAP2>
                 NoDefault
                 Identifier      test-uid
                 Host            test.ldap.ucalgary.ca
                 Port            389
                 ServerChecksPassword    1
                 BaseDN          ou=test-uid,o=ucalgary.ca
                 Version         3
                 EAPType         MD5-Challenge
         </AuthBy>
         AcctLogFileName         %L/detail.eap
</Realm>

There are many other arrangements possible depending on your exact 
requirements.

regards

Hugh


On 16 Jan 2004, at 08:09, tudalat at shaw.ca wrote:

> Hi All:
>   I've been  experimenting with EAP and LDAP and haven't been able to
> get it to work. I can however get
>   - LDAP to work succesfully
>   - EAP to work using Radiator.3.7.1/goodies/eap_md5.cfg
>   Can anyone advise or point me to the right direction?
> Thanks in advance
>
> Andy Dalat
> tudalat at shaw.ca
>
> Attached are my radius.cfg, users and the log.radiusd
>
>
>
>
> ############  radius.cfg
> #Trace 3
> Trace 5
> Foreground
> LogDir /usr/local/radius/log
> DbDir /usr/local/radius/etc
> LogFile %L/log.radiusd.eap
> PidFile %L/../run/radiusd.pid
> AuthPort 1812
> AcctPort 1813
> <Client DEFAULT>
>         Secret                  abcd1234dcba
>         IgnoreAcctSignature
> #       DefaultRealm            callid
> </Client>
>
> <Realm DEFAULT>
>         RewriteUsername s/(.*)@.*$/$1/
>         AuthByPolicy ContinueAlways
>         <AuthBy LDAP2>
>                 NoDefault
>                 Identifier      test-uid
>                 Host            test.ldap.ucalgary.ca
>                 Port            389
>                 ServerChecksPassword    1
>                 BaseDN          ou=test-uid,o=ucalgary.ca
>                 Version         3
>         </AuthBy>
>         <AuthBy FILE>
>                 Filename        %D/users.switches2
>                 EAPType         MD5-Challenge
>         </AuthBy>
>         AcctLogFileName         %L/detail.eap
> </Realm>
>
> ###############    users.switches2
> DEFAULT         Auth-Type = "test-uid"
>                 Reply-Message = "switches:Permission granted"
>
>
> ###############    log.radiusd
>
> Code:       Access-Request
> Identifier: 51
> Authentic:  <164><206><177>Z?<148>"h<156><202>Z<198><251>QP<187>
> Attributes:
>         Framed-MTU = 1480
>         NAS-IP-Address = xxx.xxx.254.224
>         NAS-Identifier = "HP ProCurve Switch 2626"
>         User-Name = "tudalat"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 23
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "23"
>         Called-Station-Id = "00-30-6e-ae-d1-29"
>         Calling-Station-Id = "00-d0-b7-70-8d-7c"
>         Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
>         Tunnel-Type = 0:13
>         Tunnel-Medium-Type = 0:Ether_802
>         Tunnel-Private-Group-ID = 1
>         EAP-Message = <2><4><0><11><1>tudalat
>         Message-Authenticator = 
> R<238><13><225><183>)x<163>W<230><201><221><243>g<23>t
>
> Thu Jan 15 13:34:51 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Thu Jan 15 13:34:51 2004: DEBUG: Rewrote user name to tudalat
> Thu Jan 15 13:34:51 2004: DEBUG:  Deleting session for tudalat, 
> xxx.xxx.254.224, 23
> Thu Jan 15 13:34:51 2004: DEBUG: Handling with Radius::AuthLDAP2: 
> test-uid
> Thu Jan 15 13:34:51 2004: DEBUG: Handling with EAP: code 2, 4, 11
> Thu Jan 15 13:34:51 2004: DEBUG: Response type 1
> Thu Jan 15 13:34:51 2004: DEBUG: EAP result: 1, EAP authentication is 
> not permitted.
> Thu Jan 15 13:34:51 2004: INFO: Access rejected for tudalat: EAP 
> authentication is not permitted.
> Thu Jan 15 13:34:51 2004: DEBUG: Packet dump:
> *** Sending to 136.159.254.224 port 1024 ....
>
> Packet length = 36
> 03 33 00 24 a6 09 31 13 7c 13 99 68 88 df 77 b2
> 5b 3e 88 d7 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 51
> Authentic:  <164><206><177>Z?<148>"h<156><202>Z<198><251>QP<187>
> Attributes:
>         Reply-Message = "Request Denied"
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list