(RADIATOR) Trying to get Windows Group membership working in AuthLSA
Michel Lapointe
MLapointe at jeancoutu.com
Tue Jul 6 19:55:39 CDT 2004
Hi,
I did a number of tests and I finally got it to work. But not exactly how
I would like it. Here are two observations:
1. The Group feature need the DomainController to be present.
2. When the Group feature is in use, I can no longer specify the domain
before the username (ie.: "domain\user") to authenticate.
These observations may be wrong but this is how it behave on my systems.
The first one is important for us because we are in a High availability
environment and we must not specify a single static domain controller
unless we can specify more than one (can we?). The second one is also
important because we are using more than one domain and we must allow
inter-domain authentication.
Thanks
Michel Lapointe
The Jean Coutu Group (PJC) inc.
|---------+--------------------------->
| | Hugh Irvine |
| | <hugh at open.com.a|
| | u> |
| | |
| | 2004-07-06 19:34|
| | |
|---------+--------------------------->
>--------------------------------------------------------------------------------------------------------------------------------------------------|
| |
| Pour : "Michel Lapointe" <MLapointe at jeancoutu.com> |
| cc : "radiator at open.com.au" <radiator at open.com.au> |
| Objet : Re: (RADIATOR) Trying to get Windows Group membership working in AuthLSA |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
Salut Michel -
Here is the relevant code from "Radius/AuthLSA.pm":
#####################################################################
# Check if the user is in the global group
sub userIsInGroup
{
my ($self, $user, $group) = @_;
require Win32::NetAdmin;
import Win32::NetAdmin;
return Win32::NetAdmin::GroupIsMember($self->{DomainController},
$group, $user);
}
You can only specify a global group for checking.
regards
Hugh
On 7 Jul 2004, at 00:10, Michel Lapointe wrote:
> Hi,
>
> I'm evaluating Radiator 3.9 with all patches on Windows 2000 Server sp4
> (member server). I'm trying to use the new Windows Group Membership
> feature but it does not seam to work.
>
> If I don't specify any Group, I can successfully authenticate both
> Local
> users (test) and Domain users (domain\test). So the LSA
> authentication is
> working fine. If I specify a Group, then I receive "Access rejected
> for
> test: AuthBy LSA User is not a member of any Group". I tried to use
> local
> group (locally on the server) or Global (Domain) Group without success.
>
> Here is my config:
>
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
>
> Trace 5
>
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> <AuthBy LSA>
> Group TestGroup
> Group Users
> </AuthBy>
> </Realm>
>
> And the debug:
>
> Tue Jul 6 08:56:17 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1466 ....
>
> Packet length = 90
> 01 3d 00 5a 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 06 74 65 73 74 06 06 00 00 00 02
> 04 06 cb 3f 9a 01 05 06 00 00 04 d2 1e 0b 31 32
> 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33
> 32 31 3d 06 00 00 00 00 02 12 c8 b9 6c 99 9a 6a
> 33 ce bc 38 09 a0 d8 7d 78 99
> Code: Access-Request
> Identifier: 61
> Authentic: 1234567890123456
> Attributes:
> User-Name = "test"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password
> = "<200><185>l<153><154>j3<206><188>8<9><160><216>}x<153>"
>
>
> Tue Jul 6 08:56:17 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jul 6 08:56:17 2004: DEBUG: Deleting session for test,
> 203.63.154.1,
> 1234
> Tue Jul 6 08:56:17 2004: DEBUG: Handling with Radius::AuthLSA:
> Tue Jul 6 08:56:17 2004: DEBUG: Radius::AuthLSA looks for match with
> test
> Tue Jul 6 08:56:17 2004: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> User is
> not a member of any Group
> Tue Jul 6 08:56:17 2004: INFO: Access rejected for test: AuthBy LSA
> User
> is not a member of any Group
> Tue Jul 6 08:56:17 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1466 ....
>
> Packet length = 36
> 03 3d 00 24 dd 31 ca 56 f2 e2 1b 8e 89 66 3a 06
> 1b 34 45 47 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code: Access-Reject
> Identifier: 61
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
>
>
> Thanks
>
> Michel Lapointe
> The Jean Coutu Group (PJC) inc.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list