Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap

Mike McCauley mikem at open.com.au
Tue Jan 20 15:50:48 CST 2004


Hello Andy,

I think the problem is that you do not have PasswordAttr defined in your 
config file for AuthBy LDAP2. You should have seen an error message about 
that when it starts up? Its not required with ServerChecksPassword, so you 
may have overlooked it?

Cheers.




On Wed, 21 Jan 2004 03:36 am, tudalat at shaw.ca wrote:
> ----- Original Message -----
> From: Hugh Irvine <hugh at open.com.au>
> Date: Sunday, January 18, 2004 3:20 pm
> Subject: Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap
>
> > Hello Andy -
>
> Hi Hugh and Mike:
>  I tried your suggestion but it's still a no go. The same CFG works
> with LDAP but not with EAP. When I tried with EAP authentication, I
> see the following using tcpdump:
>  1. Client sends radius EAP request
>  2. Radiusd sends EAP challenge
>  3. Client sends radius EAP request
>  4. ...
>     ... successful LDAP bind
>     ...
>  5. Radius sends EAP reject
>
> Can you advise? Thanks in advance for any help/pointer.
>
> Included below are my CFG and log.
>
> Andy Dalat
> tudata at shaw.ca
>
> > See Mike's comments below.
> >
> > You can't use "ServerChecksPasswords" as Radiator requires the
> > plaintext password.
> >
> > regards
> >
> > Hugh
>
> ## This is my CFG
>
> Trace 4
> Foreground
> LogDir /usr/local/radius/log
> DbDir /usr/local/radius/etc
> LogFile %L/log.radiusd
> PidFile %L/../run/radiusd.pid
> AuthPort 1812
> AcctPort 1813
>
> <Client DEFAULT>
>         Secret                  xxxtest
>         IgnoreAcctSignature
>         DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>         RewriteUsername s/(.*)@.*$/$1/
>         AuthByPolicy ContinueAlways
>         <AuthBy LDAP2>
>                 NoDefault
>                 Host            failover.ldap.ucalgary.ca
>                 Port            389
>                 AuthDN          uid=ucaccess,ou=ldapadmin,o=ucalgary.ca
>                 AuthPassword    secret
> #                ServerChecksPassword  1
>                 BaseDN          ou=xxxauthent,o=ucalgary.ca
>                 Version         3
>                 Debug           255
>                 EAPType         MD5-Challenge
>         </AuthBy>
>         AcctLogFileName         %L/detail.ldap
> </Realm>
>
>
>
> ### successful Ldap authentication
> ###
>
> Mon Jan 19 15:17:09 2004: DEBUG: Packet dump:
> *** Received from xxx.xxx.254.205 port 32868 ....
> Code:       Access-Request
> Identifier: 9
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "tudalat"
>         Service-Type = Framed-User
>         NAS-IP-Address = xxx.xxx.124.2
>         NAS-Port = 1234
>         Called-Station-Id = "2202880"
>         Calling-Station-Id = "4032205155"
>         NAS-Port-Type = Async
>         User-Password =
> "d<248>y'R<219>s<11><134>]<176><195><157><152><242><243>"
>
> Mon Jan 19 15:17:09 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Mon Jan 19 15:17:09 2004: DEBUG: Rewrote user name to
> tudalat
> Mon Jan 19 15:17:09 2004: DEBUG:  Deleting session for tudalat,
> xxx.xxx.124.2, 1234 Mon Jan 19 15:17:09 2004: DEBUG: Handling with
> Radius::AuthLDAP2:
> Mon Jan 19 15:17:09 2004: INFO: Connecting to failover.ldap.ucalgary.ca,
> port 389 Mon Jan 19 15:17:09 2004: INFO: Attempting to bind to LDAP server
> failover.ldap.ucalgary.ca:389) Mon Jan 19 15:17:09 2004: DEBUG: LDAP got
> result for uid=tudalat,ou=xxxauthent,o=ucalgary.ca Mon Jan 19 15:17:09
> 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat Mon Jan 19
> 15:17:09 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Mon Jan 19 15:17:09 2004: DEBUG: Access accepted for tudalat
> Mon Jan 19 15:17:09 2004: DEBUG: Packet dump:
> *** Sending to xxx.xxx.254.205 port 32868 ....
> Code:       Access-Accept
> Identifier: 9
> Authentic:  1234567890123456
> Attributes:
>
>
> ### unsuccessful EAP authentication
> ###
>
> Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
> *** Received from xxx.xxx.254.224 port 1024 ....
> Code:       Access-Request
> Identifier: 144
> Authentic:  L^<187>.<147><23>:X<130><168><19><136><152><159><231><247>
> Attributes:
>         Framed-MTU = 1480
>         NAS-IP-Address = xxx.xxx.254.224
>         NAS-Identifier = "HP ProCurve Switch 2626"
>         User-Name = "tudalat"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 23
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "23"
>         Called-Station-Id = "00-30-6e-ae-d1-29"
>         Calling-Station-Id = "00-d0-b7-70-8d-7c"
>         Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
>         Tunnel-Type = 0:13
>         Tunnel-Medium-Type = 0:Ether_802
>         Tunnel-Private-Group-ID = 1
>         EAP-Message = <2><1><0><11><1>tudalat
>         Message-Authenticator =
> <159><170><180>N&<176>es<166>p7<151><170><206>G<235>
>
> Mon Jan 19 15:17:35 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Mon Jan 19 15:17:35 2004: DEBUG: Rewrote user name to
> tudalat
> Mon Jan 19 15:17:35 2004: DEBUG:  Deleting session for tudalat,
> xxx.xxx.254.224, 23 Mon Jan 19 15:17:35 2004: DEBUG: Handling with
> Radius::AuthLDAP2:
> Mon Jan 19 15:17:35 2004: DEBUG: Handling with EAP: code 2, 1, 11
> Mon Jan 19 15:17:35 2004: DEBUG: Response type 1
> Mon Jan 19 15:17:35 2004: DEBUG: EAP result: 3, EAP MD5-Challenge
> Mon Jan 19 15:17:35 2004: DEBUG: Access challenged for tudalat: EAP
> MD5-Challenge Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
> *** Sending to xxx.xxx.254.224 port 1024 ....
> Code:       Access-Challenge
> Identifier: 144
> Authentic:  L^<187>.<147><23>:X<130><168><19><136><152><159><231><247>
> Attributes:
>         EAP-Message =
> <1><2><0>-<4><16><212><23>EV<210><235><128>2<211><15><175>{<244><135>{<12>2
>54-205.acs.ucalgary.ca Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
> *** Received from xxx.xxx.254.224 port 1024 ....
> Code:       Access-Request
> Identifier: 145
> Authentic:  <27><170>[f<196><209><167><181>)w<222>E<238><15><251><15>
> Attributes:
>         Framed-MTU = 1480
>         NAS-IP-Address = xxx.xxx.254.224
>         NAS-Identifier = "HP ProCurve Switch 2626"
>         User-Name = "tudalat"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 23
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "23"
>         Called-Station-Id = "00-30-6e-ae-d1-29"
>         Calling-Station-Id = "00-d0-b7-70-8d-7c"
>         Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
>         Tunnel-Type = 0:13
>         Tunnel-Medium-Type = 0:Ether_802
>         Tunnel-Private-Group-ID = 1
>         EAP-Message =
> <2><2><0><28><4><16><164><148>f<242><3><28>m<168>4<178>Ep@<248><144><204>tu
>dalat Message-Authenticator =
> <238>$<254>?<151><24><13>_<144><224>|Di<250><218>o
>
> Mon Jan 19 15:17:35 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Mon Jan 19 15:17:35 2004: DEBUG: Rewrote user name to
> tudalat
> Mon Jan 19 15:17:35 2004: DEBUG:  Deleting session for tudalat,
> xxx.xxx.254.224, 23 Mon Jan 19 15:17:35 2004: DEBUG: Handling with
> Radius::AuthLDAP2:
> Mon Jan 19 15:17:35 2004: DEBUG: Handling with EAP: code 2, 2, 28
> Mon Jan 19 15:17:35 2004: DEBUG: Response type 4
> Mon Jan 19 15:17:35 2004: INFO: Connecting to failover.ldap.ucalgary.ca,
> port 389 Mon Jan 19 15:17:35 2004: INFO: Attempting to bind to LDAP server
> failover.ldap.ucalgary.ca:389) Mon Jan 19 15:17:35 2004: DEBUG: LDAP got
> result for uid=tudalat,ou=xxxauthent,o=ucalgary.ca Mon Jan 19 15:17:35
> 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat Mon Jan 19
> 15:17:35 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Mon Jan 19 15:17:35 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
> Mon Jan 19 15:17:35 2004: INFO: Access rejected for tudalat: EAP
> MD5-Challenge failed Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
> *** Sending to xxx.xxx.254.224 port 1024 ....
> Code:       Access-Reject
> Identifier: 145
> Authentic:  <27><170>[f<196><209><167><181>)w<222>E<238><15><251><15>
> Attributes:
>         EAP-Message = <4><2><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request
> Denied"

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list