(RADIATOR) Authentication with Active Directory Server using EAP-TTLS
Hugh Irvine
hugh at open.com.au
Sat Sep 4 18:27:58 CDT 2004
Hello Elena -
You will need "anonymous" in the LDAP server, not
"anonymous at radius.local".
This is because you are doing a RewriteUsername to remove
"@radius.local".
You can see in the dubug that "anonymous" is not being found in the
LDAP database.
regards
Hugh
On 3 Sep 2004, at 21:28, Elena Alcantud Perez wrote:
> Hi,
>
> We are configurating Radiator (on Windows XP) for wireless
> authentication (802.1x/EAP-TTLS) in a large enterprise. We use Active
> Directory for every user in our domain and we have not get the rigth
> configuration of the server to connect to the Windows 2000 server.
>
> Till now, it has worked perfectly with local users, so the problem
> doesn´t seem to be the TTLS part.
> Here is the debug and the radius configuration considering
> "radius.local" as our real realm.
>
> I don´t know if as "ldapserver" we have to put de IP address of the
> server or its name.
> We have entered "anonymous at radius.local" for establishing the TLS
> tunnel.
>
> Radius configuration:
>
>
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
> Trace 4
>
> AuthPort 1812
> AcctPort 1813
> SocketQueueLength 1000000
> #RewriteUsername s/^(.*)\\(.*)/$2\@$1/
>
>
> <Client DEFAULT>
> Secret romea
> DupInterval 0
> DefaultRealm carm.es
>
> </Client>
>
>
>
> <Realm DEFAULT>
> # RewriteUsername allows you to alter the User-Name in
> # request before further processing. This one
> # Strips the realm. You will want to do this if your database
> # contains usernames without realms
> RewriteUsername s/^([^@]+).*/$1/
> # This one translates all uppercase chars to lowercase
> #RewriteUsername tr/[A-Z]/[a-z]/
> MaxSessions 2
> AcctLogFileName %L/detail
> WtmpFileName %L/wtmp
>
> <AuthLog FILE>
> Identifier myauthlogger
> Filename %L/authlog
> LogSuccess 1
> LogFailure 1
> </AuthLog>
>
> RejectHasReason
>
> <AuthBy ADSI>
> Identifier ADSI
>
> #SearchAttribute userPrincipalName
>
> BindString LDAP://Server-IP-address/cn=%0,cn=Users,dc=radius,dc=local
>
> AuthUser %0 at radius.local
>
> AuthFlags 0
>
> DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
> AddToReply Reply-Message=hello
> RcryptKey XXXXX
>
> EAPType TTLS, TLS
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_CAFile C:\Documents and
> Settings\eap96l\Escritorio\certs\demoCA\cacert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_CertificateFile C:\Documents and
> Settings\eap96l\Escritorio\certs\radius.pem
> EAPTLS_PrivateKeyFile C:\Documents and
> Settings\eap96l\Escritorio\certs\radius.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_RandomFile C:\Documents and
> Settings\eap96l\Escritorio\certs\random
> EAPTLS_DHFile C:\Documents and
> Settings\eap96l\Escritorio\certs\dh
> EAPTLS_SessionResumption 0
> EAPAnonymous anonymous at radius.local
> AutoMPPEKeys
>
> </AuthBy>
>
>
>
> </Realm>
>
> <Handler TunnelledByTTLS=1>
> AuthBy BY_FILE
> </Handler>
>
>
> Log:
>
>
> Fri Sep 3 13:03:08 2004: DEBUG: Packet dump:
> *** Received from xxxxxxx port 1645 ....
> Code: Access-Request
> Identifier: 25
> Authentic: <148><161>1b<152><253><3>o_<183><244>Up<130>sv
> Attributes:
> User-Name = "anonymous"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a78.b876"
> Calling-Station-Id = "0004.75bb.554c"
> NAS-Port-Type = Wireless-IEEE-802-11
> Message-Authenticator =
> <150><161>0<0><254><3><181>k<156>J<184><226>Z<144><207>x
> EAP-Message = <2><1><0><14><1>anonymous
> NAS-Port-Type = Virtual
> NAS-Port = 71
> Service-Type = Login-User
> NAS-IP-Address = xxxxxxxx
> NAS-Identifier = "ap1-cisco"
>
> Fri Sep 3 13:03:08 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Sep 3 13:03:08 2004: DEBUG: Rewrote user name to anonymous
> Fri Sep 3 13:03:08 2004: DEBUG: Deleting session for anonymous,
> xxxxxxx, 71
> Fri Sep 3 13:03:08 2004: DEBUG: Handling with ASDI
> Fri Sep 3 13:03:08 2004: DEBUG: BindString converted to
> LDAP://147.84.115.18/cn=anonymous,cn=Users,dc=radius,dc=local
> Fri Sep 3 13:03:08 2004: DEBUG: AuthUser converted to
> anonymous at radius.local
> Fri Sep 3 13:03:08 2004: DEBUG: Connecting to namespace: LDAP:
> Fri Sep 3 13:03:08 2004: DEBUG: Running OpenDSObject on
> LDAP://147.84.115.18/cn=anonymous,cn=Users,dc=radius,dc=local
> Fri Sep 3 13:03:08 2004: DEBUG: Could not get user object:
> Win32::OLE(0.1701) error 0x8002000f: "Parámetro no opcional"
> in METHOD/PROPERTYGET "OpenDSObject"
> Fri Sep 3 13:03:08 2004: INFO: Access rejected for anonymous: Could
> not find user
> Fri Sep 3 13:03:08 2004: DEBUG: Packet dump:
> *** Sending to 147.84.115.17 port 1645 ....
> Code: Access-Reject
> Identifier: 25
> Authentic: <148><161>1b<152><253><3>o_<183><244>Up<130>sv
> Attributes:
> Reply-Message = "Could not find user"
>
>
>
> Thank you
>
> _________________________________________________________________
> Descarga gratis la Barra de Herramientas de MSN
> http://www.msn.es/usuario/busqueda/barra?
> XAPID=2031&DI=1055&SU=http%3A//
> www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list