(RADIATOR) Radiator Mac OS X LDAP

Phil Ershler ershler at cvrti.utah.edu
Mon Nov 8 11:28:31 CST 2004


On Nov 8, 2004, at 7:17 AM, Urs Landis wrote:

> Hi all
>
> does anyone have successful installed Radiator with LDAP on 
> OS-X-Server for PW verification?
>
> i need some help to do that!
>
>
>
> best regards
>
>
Here's the AuthBy clause that I use. The first statement "Identifier 
LDAPBind" turns out to be the real magic to get this to work. I use 
this to authenticate users on my wireless network using EAP_TTLS with 
pap for inner authentication.

HTH,

Phil

        <AuthBy LDAP2>
               Identifier LDAPBind

                 # Open Directory has proprietary encrypted passwords
                 # so we must get the server to check them.

                 ServerChecksPassword

                 # Tell Radiator how to talk to the LDAP Server

                 Host            aaa.bbb.ccc.ddd
                 BaseDN          dc=blah, dc=blah, dc=blah
                 Version         3
                 UsernameAttr    uid

                 FailureBackoffTime 30

                 # EAPType sets the EAP type(s) that Radiator will 
honour.
                 # Options are: MD5-Challenge, One-Time-Password
                 # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                 # Multiple types can be comma separated. With the 
default (most
                 # preferred) type given first
                 EAPType TTLS

                 # EAPTLS_CAFile is the name of a file of CA certificates
                 # in PEM format. The file can contain several CA 
certificates
                 # Radiator will first look in EAPTLS_CAFile then in
                 # EAPTLS_CAPath, so there usually is no need to set both
                 EAPTLS_CAFile 
/usr/local/Radiator-3.9/certificates/demoCA/cacert.pem

                 # EAPTLS_CAPath is the name of a directory containing CA
                 # certificates in PEM format. The files each contain one
                 # CA certificate. The files are looked up by the CA
                 # subject name hash value
#               EAPTLS_CAPath
                 # EAPTLS_CertificateFile is the name of a file 
containing
                 # the servers certificate. EAPTLS_CertificateType
                 # specifies the type of the file. Can be PEM or ASN1
                 # defaults to ASN1
                 EAPTLS_CertificateFile 
/usr/local/Radiator-3.9/certificates/cert-srv.pem
                 EAPTLS_CertificateType PEM

                 # EAPTLS_PrivateKeyFile is the name of the file 
containing
                 # the servers private key. It is sometimes in the same 
file
                 # as the server certificate (EAPTLS_CertificateFile)
                 # If the private key is encrypted (usually the case)
                 # then EAPTLS_PrivateKeyPassword is the key to descrypt 
it
                 EAPTLS_PrivateKeyFile 
/usr/local/Radiator-3.9/certificates/cert-srv.pem
                 EAPTLS_PrivateKeyPassword whatever

                 # EAPTLS_RandomFile is an optional file containing
                 # randdomness
#               EAPTLS_RandomFile %D/certificates/random

                 # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                 # size that will be replied by Radiator. It must be 
small
                 # enough to fit in a single Radius request (ie less 
than 4096)
                 # and still leave enough space for other attributes
                 # Aironet APs seem to need a smaller MaxFragmentSize
                 # (eg 1024) than the default of 2048. Others need even 
smaller sizes.
                 EAPTLS_MaxFragmentSize 1000

                 # EAPTLS_DHFile if set specifies the DH group file. It
                 # may be required if you need to use ephemeral DH keys.
#               EAPTLS_DHFile %D/certificates/cert/dh


                 # If EAPTLS_CRLCheck is set  and the client presents a 
certificate
                 # then Radiator will look for a certificate revocation 
list (CRL)
                 # for the certificate issuer
                 # when authenticating each client. If a CRL file is not 
found, or
                 # if the CRL says the certificate has neen revoked, the 
authentication will
                 # fail with an error:
                 #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                 # One or more CRLs can be named with the EAPTLS_CRLFile 
parameter.
                 # Alternatively, CRLs may follow a file naming 
convention:
                 #  the hash of the issuer subject name
                 # and a suffix that depends on the serial number.
                 # eg ab1331b2.r0, ab1331b2.r1 etc.
                 # You can find out the hash of the issuer name in a CRL 
with
                 #  openssl crl -in crl.pem -hash -noout
                 # CRLs with tis name convention
                 # will be searched in EAPTLS_CAPath, else in the openssl
                 # certificates directory typically 
/usr/local/openssl/certs/
                 # CRLs are expected to be in PEM format.
                 # A CRL files can be generated with openssl like this:
                 #  openssl ca -gencrl -revoke cert-clt.pem
                 #  openssl ca -gencrl -out crl.pem
                 # Use of these flags requires Net_SSLeay-1.21 or later
                 #EAPTLS_CRLCheck
                 #EAPTLS_CRLFile %D/certificates/crl.pem
                 #EAPTLS_CRLFile %D/certificates/revocations.pem

                 # Some clients, depending on their configuration, may 
require you to specify
                 # MPPE send and receive keys. This _will_ be required 
if you select
                 # 'Keys will be generated automatically for data 
privacy' in the Funk Odyssey
                 # client Network Properties dialog.
                 # Automatically sets MS-MPPE-Send-Key and 
MS-MPPE-Recv-Key
                 # in the final Access-Accept
                 AutoMPPEKeys

                 # You can enable some warning messages from the 
Net::SSLeay
                 # module by setting SSLeayTrace to an integer from 1 to 
4
                 # 1=ciphers, 2=trace, 3=dump data
                 #SSLeayTrace 4

                 # You can configure the User-Name that will be used for 
the inner
                 # authentication. Defaults to 'anonymous'. This can be 
useful
                 # when proxying the inner authentication. If tehre is a 
realm, it can
                 # be used to choose a local Realm to handle the inner 
authentication.
                 # %0 is replaced with the EAP identitiy
                 # EAPAnonymous anonymous at some.other.realm

                 # You can enable or disable support for TTLS Session 
Resumption and
                 # PEAP Fast Reconnect with the EAPTLS_SessionResumption 
flag.
                 # Default is enabled
                 #EAPTLS_SessionResumption 0

                 # You can limit how long after the initial session that 
a session can be resumed
                 # with EAPTLS_SessionResumptionLimit (time in seconds). 
Defaults to 43200
                 # (12 hours)
                 #EAPTLS_SessionResumptionLimit 10

                 # You can use CheckAttr,ReplyAttr and AuthAttrDef
                 # to specify check and reply attributes int eh LDAP
                 # database. See the reference manual for more
                 # information

                 # These are the classic things to add to each users
                 # reply to allow a PPP dialup session. It may be
                 # different for your NAS. This will add some
                 # reply items to everyone's reply
                 AddToReply Framed-Protocol = PPP,\
                         Framed-IP-Netmask = 255.255.255.255,\
                         Framed-Routing = None,\
                         Framed-MTU = 1500,\
                         Framed-Compression = Van-Jacobson-TCP-IP

                 # You can enable debugging of the Net::LDAP
                 # module with this:
                 Debug 255
         </AuthBy>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list