(RADIATOR) Trying to get Windows Group membership working in AuthLSA

Hugh Irvine hugh at open.com.au
Tue Jul 6 18:34:45 CDT 2004 

Salut Michel -

Here is the relevant code from "Radius/AuthLSA.pm":

#####################################################################
# Check if the user is in the global group
sub userIsInGroup
{
     my ($self, $user, $group) = @_;

     require Win32::NetAdmin;
     import Win32::NetAdmin;

     return Win32::NetAdmin::GroupIsMember($self->{DomainController}, 
$group, $user);
}


You can only specify a global group for checking.

regards

Hugh


On 7 Jul 2004, at 00:10, Michel Lapointe wrote:

> Hi,
>
> I'm evaluating Radiator 3.9 with all patches on Windows 2000 Server sp4
> (member server).  I'm trying to use the new Windows Group Membership
> feature but it does not seam to work.
>
> If I don't specify any Group, I can successfully authenticate both 
> Local
> users (test) and Domain users (domain\test).  So the LSA 
> authentication is
> working fine.  If I specify a Group, then I receive "Access rejected 
> for
> test:  AuthBy LSA User is not a member of any Group".  I tried to use 
> local
> group (locally on the server) or Global (Domain) Group without success.
>
> Here is my config:
>
> Foreground
> LogStdout
> LogDir            c:/Program Files/Radiator
> DbDir       c:/Program Files/Radiator
>
> Trace             5
>
> <Client DEFAULT>
>       Secret      mysecret
>       DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>       <AuthBy LSA>
>             Group TestGroup
>             Group Users
>       </AuthBy>
> </Realm>
>
> And the debug:
>
> Tue Jul  6 08:56:17 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1466 ....
>
> Packet length = 90
> 01 3d 00 5a 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 06 74 65 73 74 06 06 00 00 00 02
> 04 06 cb 3f 9a 01 05 06 00 00 04 d2 1e 0b 31 32
> 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33
> 32 31 3d 06 00 00 00 00 02 12 c8 b9 6c 99 9a 6a
> 33 ce bc 38 09 a0 d8 7d 78 99
> Code:       Access-Request
> Identifier: 61
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "test"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password
> = "<200><185>l<153><154>j3<206><188>8<9><160><216>}x<153>"
>
>
> Tue Jul  6 08:56:17 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jul  6 08:56:17 2004: DEBUG:  Deleting session for test, 
> 203.63.154.1,
> 1234
> Tue Jul  6 08:56:17 2004: DEBUG: Handling with Radius::AuthLSA:
> Tue Jul  6 08:56:17 2004: DEBUG: Radius::AuthLSA looks for match with 
> test
> Tue Jul  6 08:56:17 2004: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA 
> User is
> not a member of any Group
> Tue Jul  6 08:56:17 2004: INFO: Access rejected for test: AuthBy LSA 
> User
> is not a member of any Group
> Tue Jul  6 08:56:17 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1466 ....
>
> Packet length = 36
> 03 3d 00 24 dd 31 ca 56 f2 e2 1b 8e 89 66 3a 06
> 1b 34 45 47 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 61
> Authentic:  1234567890123456
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> Thanks
>
> Michel Lapointe
> The Jean Coutu Group (PJC) inc.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list