(RADIATOR) Error authenticating with Active Directory
Mike McCauley
mikem at open.com.au
Wed Sep 8 22:20:18 CDT 2004
Hello Elena,
We do not think that you will be able to use AuthBy ADSI with TTLS wireless
authentication like this. WE are sure you can not use it with PEAP or LEAP.
You should instead use the AuthBy LSA authenticator which is conpatible with
all versions of LEAP, PEAP and TTLS.
Cheers.
On Wednesday 08 September 2004 21:24, Elena Alcantud Perez wrote:
> Hi,
>
> I am configurating Radiator with EAP-TTLS/Active Directory
> authentication.My problem is that I can´t do rigth authentication with the
> tunneled user "anonymous", so th process stops and the real user of the
> domain can´t be authenticated.
>
> We are running Radiator on Xp and we have a Windows 2000 server with Active
> Directory, both of them with in the same domain. In the container "Users",
> where we can find all users, I have entered an "anonymous" user.
>
> Changing the configuration of radius and sniffing the packets sent between
> Radiator and W200 server we obtain different captures, neither of them with
> authentication success.
>
> My server is named "w2k-ad.radius.local" and the BindString is associated
> with an existing user in the container.In the debug of the server I see
> that there is an error in "OpenDSObject".
> ---------------------------------------------------------------------------
>-------------------------------- Wed Sep 8 12:19:55 2004: DEBUG: Packet
> dump:
> *** Received from xxxxxx port 1645 ....
> Code: Access-Request
> Identifier: 52
> Authentic: <148><161>1b<152><253><3>o_<183><244>Up<130>sv
> Attributes:
> User-Name = "anonymous at radius.local"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a78.b876"
> Calling-Station-Id = "0004.75bb.554c"
> NAS-Port-Type = Wireless-IEEE-802-11
> Message-Authenticator =
> <150><161>0<0><254><3><181>k<156>J<184><226>Z<144><207>x
> EAP-Message = <2><1><0><14><1>anonymous at radius.local
> NAS-Port-Type = Virtual
> NAS-Port = 212
> Service-Type = Login-User
> NAS-IP-Address = xxxxxxx
> NAS-Identifier = "ap1-cisco"
>
> Fri Sep 3 13:03:08 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Sep 3 13:03:08 2004: DEBUG: Rewrote user name to anonymous
> Fri Sep 3 13:03:08 2004: DEBUG: Deleting session for
> anonymous at radius.local, xxxxxxxx, 212
> Fri Sep 3 13:03:08 2004: DEBUG: Handling with ASDI
> Fri Sep 3 13:03:08 2004: DEBUG: BindString converted to
> LDAP://w2k-ad.radius.local/cn=anonymous,cn=Users,dc=radius,dc=local
> Fri Sep 3 13:03:08 2004: DEBUG: AuthUser converted to anonymous
> Fri Sep 3 13:03:08 2004: DEBUG: Connecting to namespace: LDAP:
> Fri Sep 3 13:03:08 2004: DEBUG: Running OpenDSObject on
> LDAP://w2k-ad.radius.local/cn=anonymous,cn=Users,dc=radius,dc=local
> Fri Sep 3 13:03:08 2004: DEBUG: Could not get user object:
> Win32::OLE(0.1701) error 0x8002000f: "Parámetro no opcional"
> in METHOD/PROPERTYGET "OpenDSObject"
> Fri Sep 3 13:03:08 2004: INFO: Access rejected for anonymous: Could not
> find user
> Fri Sep 3 13:03:08 2004: DEBUG: Packet dump:
> *** Sending to 147.84.115.17 port 1645 ....
> Code: Access-Reject
> Identifier: 25
> Authentic: <148><161>1b<152><253><3>o_<183><244>Up<130>sv
> Attributes:
> Reply-Message = "Could not find user"
>
> ---------------------------------------------------------------------------
>------------------------------------------------
>
> my configuration file is:
>
> ---------------------------------------------------------------------------
>------------------------
>
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
> Trace 4
>
> AuthPort 1812
> AcctPort 1813
> SocketQueueLength 1000000
> #RewriteUsername s/^(.*)\\(.*)/$2\@$1/
>
>
> <Client DEFAULT>
> Secret romea
> DupInterval 0
> DefaultRealm radius.local
>
> </Client>
>
>
>
> <Realm DEFAULT>
>
> # Strips the realm. You will want to do this if your database
> # contains usernames without realms
> RewriteUsername s/^([^@]+).*/$1/
>
> MaxSessions 2
> AcctLogFileName %L/detail
> WtmpFileName %L/wtmp
>
> <AuthLog FILE>
> Identifier myauthlogger
> Filename %L/authlog
> LogSuccess 1
> LogFailure 1
> </AuthLog>
>
> RejectHasReason
>
> <AuthBy ADSI>
> Identifier ADSI
>
> SearchAttribute userPrincipalName
>
> BindString LDAP://w2k-ad.radius.local/cn=%0,cn=Users,dc=radius,dc=local
>
> AuthUser %0
> #AuthUser cn=%0,cn=Users,dc=radius,dc=local
>
> AuthFlags 0
>
> DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
> AddToReply Reply-Message=hello
> RcryptKey romea
>
> EAPType TTLS, TLS
> .....
> ***All EAPTLS parameters are ok -->TTLS with Authby File works
>
> EAPAnonymous anonymous
> AutoMPPEKeys
>
> </AuthBy>
>
>
>
> </Realm>
>
> <Handler TunnelledByTTLS=1>
> AuthBy ADSI
> </Handler>
>
> ---------------------------------------------------------------------------
>--------------------- With the mail,there are two Ethereal captures with
> diffreents results:
>
> ldap-authuser%0 --> When in radius.cnf AuthUser
> cn=%0,cn=Users,dc=radius,dc=local is commented, it says no object found
>
> ldap-authuserdn (filter = ldap)--> When in radius.cnf AuthUser %0 is
> commented, seems a policy problem
>
>
>
> It seems to me tha eveything is ok but .....not.
>
>
> Thank you for your help
>
> _________________________________________________________________
> Horóscopo, tarot, numerología... Escucha lo que te dicen los astros.
> http://astrocentro.msn.es/
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list