Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap

Mike McCauley mikem at open.com.au
Thu Jan 22 01:50:47 CST 2004 

Hello Andy,


On Thu, 22 Jan 2004 09:03 am, tudalat at shaw.ca wrote:
> ----- Original Message -----
> From: Mike McCauley <mikem at open.com.au>
> Date: Tuesday, January 20, 2004 2:50 pm
> Subject: Re: Fwd: (RADIATOR) Help with configure radius.cfg with eap and
> ldap
>
> > Hello Andy,
>
> Hi Mike:
> > I think the problem is that you do not have PasswordAttr defined
> > in your
> > config file for AuthBy LDAP2. You should have seen an error
> > message about that when it starts up? Its not required with
>
> There was no error when ServerChecksPassword is not used. I tried
> "PasswordAttr    userPassword" and I got "There was no password attribute
> found" PasswordAttr (alone) and EncryptedPasswordAttr, however, work
> successfully with LDAP but MD5-Challenge still fails. Just wonder if it's
> because of our
> peculiar way of implementing ldap.  I am not allowed to retrieve
> the UserPassword, I can only use it to do a LDAP bind.

I think that will be the problem. In order for Radiator to support 
MD5-Challenge, it needs to be able to get the plaintext password from the 
LDAP server in the LDAP attribute named by PasswordAttr.

Cheers.



>
>
> Here are the two logs, .1 with  "PasswordAttr    userPassword"
> and .2 with "PasswordAttr   "
>
> .1
> *** Received from xxx.xxx.254.224 port 1024 ....
> Code:       Access-Request
> Identifier: 165
> Authentic: 
> <187>O<211><155><163><153><10><156>C<179><242>9<230><208><164><144>
> Attributes:
>         Framed-MTU = 1480
>         NAS-IP-Address = xxx.xxx.254.224
>         NAS-Identifier = "HP ProCurve Switch 2626"
>         User-Name = "tudalat"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 21
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "21"
>         Called-Station-Id = "00-30-6e-ae-d1-2b"
>         Calling-Station-Id = "00-d0-b7-70-8d-7c"
>         Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
>         Tunnel-Type = VLAN
>         Tunnel-Medium-Type = IEEE-802
>         Tunnel-Private-Group-ID = "1"
>         EAP-Message =
> <2><2><0><28><4><16>Y<10><4>>l8<155>Y<158><133><166>xl<185>J<204>tudalat
> Message-Authenticator =
> <139><249>p<127><184>70<165><139>K<207>w<181><182><141>x
>
> Wed Jan 21 14:34:35 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Wed Jan 21 14:34:35 2004: DEBUG: Rewrote user name to
> tudalat
> Wed Jan 21 14:34:35 2004: DEBUG:  Deleting session for tudalat,
> xxx.xxx.254.224, 21 Wed Jan 21 14:34:35 2004: DEBUG: Handling with
> Radius::AuthLDAP2: uidauthent Wed Jan 21 14:34:35 2004: DEBUG: Handling
> with EAP: code 2, 2, 28
> Wed Jan 21 14:34:35 2004: DEBUG: Response type 4
> Wed Jan 21 14:34:35 2004: INFO: Connecting to test.ldap.ucalgary.ca, port
> 389 Wed Jan 21 14:34:35 2004: INFO: Attempting to bind to LDAP server
> test.ldap.ucalgary.ca:389) Wed Jan 21 14:34:35 2004: DEBUG: LDAP got result
> for uid=tudalat,ou=uidauthent,o=ucalgary.ca Wed Jan 21 14:34:35 2004: ERR:
> There was no password attribute found for tudalat. Check your LDAP
> database. Wed Jan 21 14:34:35 2004: DEBUG: Radius::AuthLDAP2 looks for
> match with tudalat Wed Jan 21 14:34:35 2004: DEBUG: Radius::AuthLDAP2
> ACCEPT:
> Wed Jan 21 14:34:35 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
> Wed Jan 21 14:34:35 2004: INFO: Access rejected for tudalat: EAP
> MD5-Challenge failed Wed Jan 21 14:34:35 2004: DEBUG: Packet dump:
> *** Sending to xxx.xxx.254.224 port 1024 ....
> Code:       Access-Reject
> Identifier: 165
> Authentic: 
> <187>O<211><155><163><153><10><156>C<179><242>9<230><208><164><144>
> Attributes:
>         EAP-Message = <4><2><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request
> Denied"
>
> .2
>
> And here is the log for just "PasswordAttr"*** Received from
> xxx.xxx.254.224 port 1024 .... Code:       Access-Request
> Identifier: 167
> Authentic:  <3><187><208>-3{e<252>H<196>)e<250><185><171><127>
> Attributes:
>         Framed-MTU = 1480
>         NAS-IP-Address = xxx.xxx.254.224
>         NAS-Identifier = "HP ProCurve Switch 2626"
>         User-Name = "tudalat"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 21
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "21"
>         Called-Station-Id = "00-30-6e-ae-d1-2b"
>         Calling-Station-Id = "00-d0-b7-70-8d-7c"
>         Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
>         Tunnel-Type = VLAN
>         Tunnel-Medium-Type = IEEE-802
>         Tunnel-Private-Group-ID = "1"
>         EAP-Message =
> <2><2><0><28><4><16><241><185><222><167><132><20><175><196><10>;<234><21><1
>38>d<242>+tudalat Message-Authenticator = F<1>Q(|3Oc<5>$@4<22>t<208>~
>
> Wed Jan 21 14:52:33 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Wed Jan 21 14:52:33 2004: DEBUG: Rewrote user name to
> tudalat
> Wed Jan 21 14:52:33 2004: DEBUG:  Deleting session for tudalat,
> xxx.xxx.254.224, 21 Wed Jan 21 14:52:33 2004: DEBUG: Handling with
> Radius::AuthLDAP2: uidauthent Wed Jan 21 14:52:33 2004: DEBUG: Handling
> with EAP: code 2, 2, 28
> Wed Jan 21 14:52:33 2004: DEBUG: Response type 4
> Wed Jan 21 14:52:33 2004: INFO: Connecting to test.ldap.ucalgary.ca, port
> 389 Wed Jan 21 14:52:33 2004: INFO: Attempting to bind to LDAP server
> test.ldap.ucalgary.ca:389) Wed Jan 21 14:52:33 2004: DEBUG: LDAP got result
> for uid=tudalat,ou=uidauthent,o=ucalgary.ca Wed Jan 21 14:52:33 2004:
> DEBUG: Radius::AuthLDAP2 looks for match with tudalat Wed Jan 21 14:52:33
> 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Wed Jan 21 14:52:33 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
> Wed Jan 21 14:52:33 2004: INFO: Access rejected for tudalat: EAP
> MD5-Challenge failed Wed Jan 21 14:52:33 2004: DEBUG: Packet dump:
> *** Sending to xxx.xxx.254.224 port 1024 ....
> Code:       Access-Reject
> Identifier: 167
> Authentic:  <3><187><208>-3{e<252>H<196>)e<250><185><171><127>
> Attributes:
>         EAP-Message = <4><2><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request
> Denied"
>
> Can you advise?
>
> thanks
> Andy Dalat
> tudalat at shaw.ca

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list