(RADIATOR) Help with configure radius.cfg with eap and ldap
tudalat at shaw.ca
tudalat at shaw.ca
Fri Jan 16 14:35:26 CST 2004
----- Original Message -----
From: Hugh Irvine <hugh at open.com.au>
Date: Thursday, January 15, 2004 4:09 pm
Subject: Re: (RADIATOR) Help with configure radius.cfg with eap and ldap
>
> Hello Andy -
>
Hi Hugh:
Thanks for your prompt reply.
> Your configuration file is not correct - you should add an EAPType
> line
> to the AuthBy LDAP2 and remove the AuthBy FILE.
>
> Something like this:
>
> ############ radius.cfg
> #Trace 3
> Trace 5
> Foreground
> LogDir /usr/local/radius/log
> DbDir /usr/local/radius/etc
> LogFile %L/log.radiusd.eap
> PidFile %L/../run/radiusd.pid
> AuthPort 1812
> AcctPort 1813
> <Client DEFAULT>
> Secret abcd1234dcba
> IgnoreAcctSignature
> # DefaultRealm callid
> </Client>
>
> <Realm DEFAULT>
> RewriteUsername s/(.*)@.*$/$1/
> <AuthBy LDAP2>
> NoDefault
> Identifier test-uid
> Host test.ldap.ucalgary.ca
> Port 389
> ServerChecksPassword 1
> BaseDN ou=test-uid,o=ucalgary.ca
> Version 3
> EAPType MD5-Challenge
>
> AcctLogFileName %L/detail.eap
> </Realm>
>
I have tried the above with no success. Included below are the
two logs, one failed attempt using your suggested .cfg and one successful
with EOP using local users file.
> There are many other arrangements possible depending on your exact
> requirements.
Is there any more detailed document on "other arrangements"? At this point,
I just want to open a port if ldap's userid/passwd query is successful.
Does anyone have a working example .CFG of EOP and LDAP that I can borrow?
Thank you all.
I am using:
radiator 3.7.1/3.8
perl v5.8.2
openssl-0.9.7a-20
## log.radiusd for failed attempt with ldap and eap
##
Fri Jan 16 11:42:14 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.224 port 1024 ....
Code: Access-Request
Identifier: 247
Authentic: <207>T<171>5<225><220>n<25><181><211><170><246><146><248><12>P
Attributes:
Framed-MTU = 1480
NAS-IP-Address = xxx.xxx.254.224
NAS-Identifier = "HP ProCurve Switch 2626"
User-Name = "tudalat"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 23
NAS-Port-Type = Ethernet
NAS-Port-Id = "23"
Called-Station-Id = "00-30-6e-ae-d1-29"
Calling-Station-Id = "00-d0-b7-70-8d-7c"
Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
Tunnel-Type = 0:13
Tunnel-Medium-Type = 0:Ether_802
Tunnel-Private-Group-ID = 1
EAP-Message = <2><2><0><28><4><16>y:<156><152>n<160><19><157><147><245>Y<140>x<29>u<242>tudalat
Message-Authenticator = /a1u<204><8><206><12>t<203><242><178>E<22><246>"
Fri Jan 16 11:42:14 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Jan 16 11:42:14 2004: DEBUG: Rewrote user name to tudalat
Fri Jan 16 11:42:14 2004: DEBUG: Deleting session for tudalat, xxx.xxx.254.224, 23
Fri Jan 16 11:42:14 2004: DEBUG: Handling with Radius::AuthLDAP2: test-uid
Fri Jan 16 11:42:14 2004: DEBUG: Handling with EAP: code 2, 2, 28
Fri Jan 16 11:42:14 2004: DEBUG: Response type 4
Fri Jan 16 11:42:14 2004: DEBUG: Connecting to failover.ldap.ucalgary.ca, port 389
Fri Jan 16 11:42:14 2004: DEBUG: LDAP2 got result for uid=tudalat,ou=test-uid,o=ucalgary.ca
Fri Jan 16 11:42:14 2004: DEBUG: LDAP2 rejected password for tudalat
Fri Jan 16 11:42:14 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Fri Jan 16 11:42:14 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
Fri Jan 16 11:42:14 2004: INFO: Access rejected for tudalat: EAP MD5-Challenge failed
Fri Jan 16 11:42:14 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code: Access-Reject
Identifier: 247
Authentic: <207>T<171>5<225><220>n<25><181><211><170><246><146><248><12>P
Attributes:
EAP-Message = <4><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
############ log.radiusd for sucessful attempt with local users file and eap
############
*** Received from xxx.xxx.254.224 port 1024 ....
Code: Access-Request
Identifier: 251
Authentic: <134><244><157><221><12><153>M<199>9<169><237><1>|<227><144>v
Attributes:
Framed-MTU = 1480
NAS-IP-Address = xxx.xxx.254.224
NAS-Identifier = "HP ProCurve Switch 2626"
User-Name = "switch"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 23
NAS-Port-Type = Ethernet
NAS-Port-Id = "23"
Called-Station-Id = "00-30-6e-ae-d1-29"
Calling-Station-Id = "00-d0-b7-70-8d-7c"
Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
Tunnel-Type = 0:13
Tunnel-Medium-Type = 0:Ether_802
Tunnel-Private-Group-ID = 1
EAP-Message = <2><2><0><28><4><16>W"%<31>D?<4><194><151><255>BT<252><15><182><176>switch
Message-Authenticator = <180>K<188>bz<215>M<139>?%<162><147>j<156>&<242>
Fri Jan 16 11:45:57 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Jan 16 11:45:57 2004: DEBUG: Deleting session for switch, xxx.xxx.254.224, 23
Fri Jan 16 11:45:57 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Jan 16 11:45:57 2004: DEBUG: Handling with EAP: code 2, 2, 28
Fri Jan 16 11:45:57 2004: DEBUG: Response type 4
Fri Jan 16 11:45:57 2004: DEBUG: Radius::AuthFILE looks for match with switch
Fri Jan 16 11:45:57 2004: DEBUG: Radius::AuthFILE ACCEPT:
Fri Jan 16 11:45:57 2004: DEBUG: EAP result: 0,
Fri Jan 16 11:45:57 2004: DEBUG: Access accepted for switch
Fri Jan 16 11:45:57 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code: Access-Accept
Identifier: 251
Authentic: <134><244><157><221><12><153>M<199>9<169><237><1>|<227><144>v
Attributes:
EAP-Message = <3><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "switch allowed"
> ...
> ...
> ...
> ...
Andy Dalat
tudata at shaw.ca
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list