(RADIATOR) Help with configure radius.cfg with eap and ldap

tudalat at shaw.ca tudalat at shaw.ca
Fri Jan 16 14:35:26 CST 2004



----- Original Message -----
From: Hugh Irvine <hugh at open.com.au>
Date: Thursday, January 15, 2004 4:09 pm
Subject: Re: (RADIATOR) Help with configure radius.cfg with eap and ldap

> 
> Hello Andy -
> 
Hi Hugh:
 Thanks for your prompt reply.

> Your configuration file is not correct - you should add an EAPType 
> line 
> to the AuthBy LDAP2 and remove the AuthBy FILE.
> 
> Something like this:
> 
> ############  radius.cfg
> #Trace 3
> Trace 5
> Foreground
> LogDir /usr/local/radius/log
> DbDir /usr/local/radius/etc
> LogFile %L/log.radiusd.eap
> PidFile %L/../run/radiusd.pid
> AuthPort 1812
> AcctPort 1813
> <Client DEFAULT>
>         Secret                  abcd1234dcba
>         IgnoreAcctSignature
> #       DefaultRealm            callid
> </Client>
>
 > <Realm DEFAULT>
>         RewriteUsername s/(.*)@.*$/$1/
>         <AuthBy LDAP2>
>                 NoDefault
>                 Identifier      test-uid
>                 Host            test.ldap.ucalgary.ca
>                 Port            389
>                 ServerChecksPassword    1
>                 BaseDN          ou=test-uid,o=ucalgary.ca
>                 Version         3
>                 EAPType         MD5-Challenge
>         
>         AcctLogFileName         %L/detail.eap
> </Realm>
>

I have tried the above with no success. Included below are the
two logs, one failed attempt using your suggested .cfg and one successful
with EOP using local users file.

 
> There are many other arrangements possible depending on your exact 
> requirements.

Is there any more detailed document on "other arrangements"? At this point,
I just want to open a port if ldap's userid/passwd query is successful.
Does anyone have a working example .CFG of EOP and LDAP that I can borrow?

Thank you all.

I am using:
   radiator 3.7.1/3.8
   perl  v5.8.2
   openssl-0.9.7a-20


## log.radiusd for failed attempt with ldap and eap
##
Fri Jan 16 11:42:14 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.224 port 1024 ....
Code:       Access-Request
Identifier: 247
Authentic:  <207>T<171>5<225><220>n<25><181><211><170><246><146><248><12>P
Attributes:
        Framed-MTU = 1480
        NAS-IP-Address = xxx.xxx.254.224
        NAS-Identifier = "HP ProCurve Switch 2626"
        User-Name = "tudalat"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 23
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "23"
        Called-Station-Id = "00-30-6e-ae-d1-29"
        Calling-Station-Id = "00-d0-b7-70-8d-7c"
        Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
        Tunnel-Type = 0:13
        Tunnel-Medium-Type = 0:Ether_802
        Tunnel-Private-Group-ID = 1
        EAP-Message = <2><2><0><28><4><16>y:<156><152>n<160><19><157><147><245>Y<140>x<29>u<242>tudalat
        Message-Authenticator = /a1u<204><8><206><12>t<203><242><178>E<22><246>"

Fri Jan 16 11:42:14 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Jan 16 11:42:14 2004: DEBUG: Rewrote user name to tudalat
Fri Jan 16 11:42:14 2004: DEBUG:  Deleting session for tudalat, xxx.xxx.254.224, 23
Fri Jan 16 11:42:14 2004: DEBUG: Handling with Radius::AuthLDAP2: test-uid
Fri Jan 16 11:42:14 2004: DEBUG: Handling with EAP: code 2, 2, 28
Fri Jan 16 11:42:14 2004: DEBUG: Response type 4
Fri Jan 16 11:42:14 2004: DEBUG: Connecting to failover.ldap.ucalgary.ca, port 389
Fri Jan 16 11:42:14 2004: DEBUG: LDAP2 got result for uid=tudalat,ou=test-uid,o=ucalgary.ca
Fri Jan 16 11:42:14 2004: DEBUG: LDAP2 rejected password for tudalat
Fri Jan 16 11:42:14 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Fri Jan 16 11:42:14 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
Fri Jan 16 11:42:14 2004: INFO: Access rejected for tudalat: EAP MD5-Challenge failed
Fri Jan 16 11:42:14 2004: DEBUG: Packet dump:

*** Sending to xxx.xxx.254.224 port 1024 ....
Code:       Access-Reject
Identifier: 247
Authentic:  <207>T<171>5<225><220>n<25><181><211><170><246><146><248><12>P
Attributes:
        EAP-Message = <4><2><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

############ log.radiusd for sucessful attempt with local users file and eap
############

*** Received from xxx.xxx.254.224 port 1024 ....
Code:       Access-Request
Identifier: 251
Authentic:  <134><244><157><221><12><153>M<199>9<169><237><1>|<227><144>v
Attributes:
        Framed-MTU = 1480
        NAS-IP-Address = xxx.xxx.254.224
        NAS-Identifier = "HP ProCurve Switch 2626"
        User-Name = "switch"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 23
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "23"
        Called-Station-Id = "00-30-6e-ae-d1-29"
        Calling-Station-Id = "00-d0-b7-70-8d-7c"
        Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
        Tunnel-Type = 0:13
        Tunnel-Medium-Type = 0:Ether_802
        Tunnel-Private-Group-ID = 1
        EAP-Message = <2><2><0><28><4><16>W"%<31>D?<4><194><151><255>BT<252><15><182><176>switch
        Message-Authenticator = <180>K<188>bz<215>M<139>?%<162><147>j<156>&<242>
Fri Jan 16 11:45:57 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Jan 16 11:45:57 2004: DEBUG:  Deleting session for switch, xxx.xxx.254.224, 23
Fri Jan 16 11:45:57 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Jan 16 11:45:57 2004: DEBUG: Handling with EAP: code 2, 2, 28
Fri Jan 16 11:45:57 2004: DEBUG: Response type 4
Fri Jan 16 11:45:57 2004: DEBUG: Radius::AuthFILE looks for match with switch
Fri Jan 16 11:45:57 2004: DEBUG: Radius::AuthFILE ACCEPT:
Fri Jan 16 11:45:57 2004: DEBUG: EAP result: 0,
Fri Jan 16 11:45:57 2004: DEBUG: Access accepted for switch
Fri Jan 16 11:45:57 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code:       Access-Accept
Identifier: 251
Authentic:  <134><244><157><221><12><153>M<199>9<169><237><1>|<227><144>v
Attributes:
        EAP-Message = <3><2><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "switch allowed"
> ...
> ...
> ...
> ...


Andy Dalat
tudata at shaw.ca


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list