(RADIATOR) Authentication with Active Directory Server using EAP-TTLS

Hugh Irvine hugh at open.com.au
Sat Sep 4 18:27:58 CDT 2004


Hello Elena -

You will need "anonymous" in the LDAP server, not  
"anonymous at radius.local".

This is because you are doing a RewriteUsername to remove  
"@radius.local".

You can see in the dubug that "anonymous" is not being found in the  
LDAP database.

regards

Hugh


On 3 Sep 2004, at 21:28, Elena Alcantud Perez wrote:

> Hi,
>
> We are configurating Radiator (on Windows XP) for wireless  
> authentication (802.1x/EAP-TTLS) in a large enterprise. We use Active  
> Directory for every user in our domain and we have not get the rigth  
> configuration of the server to connect to the Windows 2000 server.
>
> Till now, it has worked perfectly with local users, so the problem  
> doesn´t seem to be the TTLS part.
> Here is the debug and the radius configuration considering  
> "radius.local" as our real realm.
>
> I don´t know if as "ldapserver" we have to put de IP address of the  
> server or its name.
> We have entered "anonymous at radius.local" for establishing the TLS  
> tunnel.
>
> Radius configuration:
>
>
> Foreground
> LogStdout
> LogDir		c:/Program Files/Radiator
> DbDir		c:/Program Files/Radiator
> Trace           4
>
> AuthPort 1812
> AcctPort 1813
> SocketQueueLength 1000000
> #RewriteUsername	s/^(.*)\\(.*)/$2\@$1/
>
>
> <Client DEFAULT>
>         Secret romea
>         DupInterval 0
> 	   DefaultRealm carm.es
>
> </Client>
>
>
>
> <Realm DEFAULT>
> 	  # RewriteUsername allows you to alter the User-Name in
> 	# request before  further processing. This one
> 	# Strips the realm. You will want to do this if your database
> 	# contains usernames without realms
> 	RewriteUsername	s/^([^@]+).*/$1/
> 	# This one translates all uppercase chars to lowercase
> 	#RewriteUsername	tr/[A-Z]/[a-z]/
> 	MaxSessions	2
> 	AcctLogFileName	%L/detail
> 	WtmpFileName %L/wtmp
>
> 	<AuthLog FILE>
> 		Identifier myauthlogger
> 		Filename %L/authlog
> 		LogSuccess 1
> 		LogFailure 1
> 	</AuthLog>
>
> 	RejectHasReason
>
> <AuthBy ADSI>
> 	Identifier ADSI
>
> 	#SearchAttribute   userPrincipalName
>
> 	BindString LDAP://Server-IP-address/cn=%0,cn=Users,dc=radius,dc=local
>
> 	AuthUser  %0 at radius.local
>
> 	AuthFlags 0
>
> 	DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
>      AddToReply Reply-Message=hello
> 	 RcryptKey XXXXX
>
>     EAPType                         TTLS, TLS
>     EAPTLS_MaxFragmentSize          1000
>     EAPTLS_CAFile                   C:\Documents and  
> Settings\eap96l\Escritorio\certs\demoCA\cacert.pem
>     EAPTLS_CertificateType          PEM
>     EAPTLS_CertificateFile          C:\Documents and  
> Settings\eap96l\Escritorio\certs\radius.pem
>     EAPTLS_PrivateKeyFile           C:\Documents and  
> Settings\eap96l\Escritorio\certs\radius.pem
>     EAPTLS_PrivateKeyPassword       whatever
>     EAPTLS_RandomFile 	 C:\Documents and  
> Settings\eap96l\Escritorio\certs\random
>     EAPTLS_DHFile 		 C:\Documents and  
> Settings\eap96l\Escritorio\certs\dh
>     EAPTLS_SessionResumption 	 0
>     EAPAnonymous                	 anonymous at radius.local
>     AutoMPPEKeys
>
> 	</AuthBy>
>
>
>
> </Realm>
>
> <Handler TunnelledByTTLS=1>
>     AuthBy BY_FILE
> </Handler>
>
>
> Log:
>
>
> Fri Sep  3 13:03:08 2004: DEBUG: Packet dump:
> *** Received from xxxxxxx port 1645 ....
> Code:       Access-Request
> Identifier: 25
> Authentic:  <148><161>1b<152><253><3>o_<183><244>Up<130>sv
> Attributes:
> 	User-Name = "anonymous"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0002.8a78.b876"
> 	Calling-Station-Id = "0004.75bb.554c"
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Message-Authenticator =  
> <150><161>0<0><254><3><181>k<156>J<184><226>Z<144><207>x
> 	EAP-Message = <2><1><0><14><1>anonymous
> 	NAS-Port-Type = Virtual
> 	NAS-Port = 71
> 	Service-Type = Login-User
> 	NAS-IP-Address = xxxxxxxx
> 	NAS-Identifier = "ap1-cisco"
>
> Fri Sep  3 13:03:08 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Sep  3 13:03:08 2004: DEBUG: Rewrote user name to anonymous
> Fri Sep  3 13:03:08 2004: DEBUG:  Deleting session for anonymous,  
> xxxxxxx, 71
> Fri Sep  3 13:03:08 2004: DEBUG: Handling with ASDI
> Fri Sep  3 13:03:08 2004: DEBUG: BindString converted to  
> LDAP://147.84.115.18/cn=anonymous,cn=Users,dc=radius,dc=local
> Fri Sep  3 13:03:08 2004: DEBUG: AuthUser converted to  
> anonymous at radius.local
> Fri Sep  3 13:03:08 2004: DEBUG: Connecting to namespace: LDAP:
> Fri Sep  3 13:03:08 2004: DEBUG: Running OpenDSObject on  
> LDAP://147.84.115.18/cn=anonymous,cn=Users,dc=radius,dc=local
> Fri Sep  3 13:03:08 2004: DEBUG: Could not get user object:  
> Win32::OLE(0.1701) error 0x8002000f: "Parámetro no opcional"
>    in METHOD/PROPERTYGET "OpenDSObject"
> Fri Sep  3 13:03:08 2004: INFO: Access rejected for anonymous: Could  
> not find user
> Fri Sep  3 13:03:08 2004: DEBUG: Packet dump:
> *** Sending to 147.84.115.17 port 1645 ....
> Code:       Access-Reject
> Identifier: 25
> Authentic:  <148><161>1b<152><253><3>o_<183><244>Up<130>sv
> Attributes:
> Reply-Message = "Could not find user"
>
>
>
> Thank you
>
> _________________________________________________________________
> Descarga gratis la Barra de Herramientas de MSN  
> http://www.msn.es/usuario/busqueda/barra? 
> XAPID=2031&DI=1055&SU=http%3A// 
> www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list