(RADIATOR) About: Using AD authentication in Radiator
Jhonny Freire de Oliveira
joliveira at correio.reitoria.ul.pt
Fri Apr 8 10:55:21 CDT 2005
I'm using Radiator (under Linux) to authenticate on a Win2003 AD using
PEAP-MSCHAPV2 (typical on MS WinXP, and most of the clients use it, 99%).
It as been a while since this was last discussed, is there any workaround or
patch for this? (I really want to use Radiator under Linux)
Best regards,
Jhonny Freire de Oliveira
_____
* To: "Jimenez, Roman" < <mailto:roman.jimenez at DOMAIN.HIDDEN>
roman.jimenez at xxxxxxxxxxxxxxxxxxxxxxxxxx>
* Subject: Re: (RADIATOR) Using AD authentication in Radiator
* From: Hugh Irvine < <mailto:hugh at DOMAIN.HIDDEN> hugh at xxxxxxxxxxx>
* Date: Wed, 23 Feb 2005 09:00:22 +1100
* Cc: Mike McCauley < <mailto:mikem at DOMAIN.HIDDEN> mikem at xxxxxxxxxxx>,
<mailto:radiator at DOMAIN.HIDDEN> radiator at xxxxxxxxxxx
* In-reply-to: <
<http://www.open.com.au/archives/radiator/2005-02/msg00146.html>
7CA73B1A82A7084DB06899DF9AD426940762EB at wed-ex1.wed.dresser.com>
* List-id: <radiator.list-id.open.com.au>
* References:
<7CA73B1A82A7084DB06899DF9AD426940762EB at wed-ex1.wed.dresser.com
<http://www.open.com.au/archives/radiator/2005-02/msg00146.html> >
* Sender: owner-radiator at xxxxxxxxxxx
<mailto:owner-radiator at DOMAIN.HIDDEN>
_____
size=2 width="100%" align=center>
Hello Roman -
In that case I would suggest you run Radiator on Windows and use the AuthBy
LSA clause.
Otherwise you will need to use ethereal (or similar) to watch the radius
transactions to and from IAS then configure Radiator to do the same thing.
I'm guessing that AuthBy LSA on Windows is the simpler option.
regards
Hugh
On 23 Feb 2005, at 02:09, Jimenez, Roman wrote:
The client is a symbol wireless switch ws-5000 and unfortunately there is
not a lot of configuration I can change on it, just the ports it goes to for
radius authentication. I has worked fine with a Microsoft IAS server but I
would like to make it work with radiator, since until now Radiator has been
our production radius server until now.
I would appreciate any input from anybody who has worked with this kind of
wireless switches.
Thanks,
Roman Jimenez
-----Original Message-----
From: Mike McCauley [ <mailto:mikem at xxxxxxxxxxx> mailto:mikem at xxxxxxxxxxx]
Sent: Monday, February 21, 2005 7:19 PM
To: Jimenez, Roman
Cc: Hugh Irvine; radiator at xxxxxxxxxxx
Subject: Re: Fwd: (RADIATOR) Using AD authentication in Radiator
Hello Roman,
On Tuesday 22 February 2005 10:07, Hugh Irvine wrote:
Begin forwarded message:
From: "Jimenez, Roman" <roman.jimenez at xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: 22 February 2005 01:13:13 GMT+11:00
To: Hugh Irvine <hugh at xxxxxxxxxxx>
Cc: radiator at xxxxxxxxxxx
Subject: RE: (RADIATOR) Using AD authentication in Radiator
Hugh,
Thanks for the reply. I am including the log file and my
configuration fiel as an attachment to this message. I hope that
will give you an idea of what I am doing wrong.
The problem here is that you are trying to get the users a password from AD
using LDAP. It is not possible to do this (as far as we know: AD does not
allow access to the users password by LDAP), so your LDAP query is not
getting the users password, and therefore the MSCHAPV2 authentication is
failing.
If you intend to authenticate PEAP-MSCHAPV2 using AD, you will have to use
AuthBy LSA, not AuthBy LDAP2. This in turn will limit you to running
Radiator on Windows.
The 'Access rejected for anonymous:' message is referring to the User-Name
in the inner request. In fact, it is actually accessing the LDAP record for
Roman.Jimenez, derived from the EAP identity of the inner request.
BTW, it is unusual for the inner request to have user name of anonymous,
while the outer has the users real name. What client are you using? Are you
sure you have it configured correctly?
Cheers.
Thanks again,
Roman Jimenez
-----Original Message-----
From: Hugh Irvine [ <mailto:hugh at xxxxxxxxxxx> mailto:hugh at xxxxxxxxxxx]
Sent: Friday, February 18, 2005 11:36 PM
To: Jimenez, Roman
Cc: radiator at xxxxxxxxxxx
Subject: Re: (RADIATOR) Using AD authentication in Radiator
Hello Roman -
EAP authentication comprises two stages - the first (outer request)
for "anonymous" and a second (inner request) for the actual username.
Have a look at the examples in "goodies/eap_*.cfg" in the Radiator
3.11 distribution.
There may also be a problem with MS-CHAPv2, but I can't tell without
seeing your configuration file and a more complete trace 4 debug.
regards
Hugh
On 17 Feb 2005, at 21:52, Jimenez, Roman wrote:
Hi all,
I am trying to configure our Radiator server to authenticate
against our Active Directory as an LDAP V.2. and I am getting an
"access rejected for anonymous..." in the log fine. I am including
an extract of the logs, it seems that the ldap query for the user
comes back fine though. I would appreciate any help in resolving this
issue:
Thu Feb 17 12:33:48 2005: INFO: Connecting to 10.121.15.81, port
389
Thu Feb 17 12:33:48 2005: INFO: Attempting to bind to LDAP server
10.121.15.81:389)
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got result for CN=Roman
Jimenez,OU=X,,DC=y,DC=z,DC=com
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got objectClass: top person
organizationalPerson user
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got cn: Roman Jimenez
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got description: IT
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got distinguishedName: CN=
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got instanceType: 4
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenCreated:
20041216181343.0Z
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenChanged:
20041216194601.0Z
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got displayName: Roman
Jimenez
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got uSNCreated: 95721
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got memberOf: CN=
Thu Feb 17 12:33:48 2005: DEBUG: LDAP got userPrincipalName:
Roman.Jimenez
Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 looks for match
with Roman.Jimenez
Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Thu Feb 17 12:33:48 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
Authentication failure
Thu Feb 17 12:33:48 2005: INFO: Access rejected for anonymous: EAP
MSCHAP-V2 Authentication failure
Roman Jimenez
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Mike McCauley mikem at xxxxxxxxxxx
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia <http://www.open.com.au>
http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at <http://www.open.com.au/archives/radiator/>
http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at xxxxxxxxxxx
To unsubscribe, email 'majordomo at xxxxxxxxxxx' with
'unsubscribe radiator' in the body of the message.
_____
size=2 width="100%" align=center>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050408/675f82ce/attachment.html>
More information about the radiator
mailing list