(RADIATOR) About: Using AD authentication in Radiator
Hugh Irvine
hugh at open.com.au
Fri Apr 8 18:20:41 CDT 2005
Hello Jhonny -
In this situation it really is much simpler to run Radiator on Windows
with LSA.
regards
Hugh
On 9 Apr 2005, at 01:55, Jhonny Freire de Oliveira wrote:
> I’m using Radiator (under Linux) to authenticate on a Win2003 AD using
> PEAP-MSCHAPV2 (typical on MS WinXP, and most of the clients use it,
> 99%).
>
> It as been a while since this was last discussed, is there any
> workaround or patch for this? (I really want to use Radiator under
> Linux)
>
>
>
> Best regards,
>
> Jhonny Freire de Oliveira
>
>
>
>
> • To: "Jimenez, Roman" <roman.jimenez at xxxxxxxxxxxxxxxxxxxxxxxxxx>
> • Subject: Re: (RADIATOR) Using AD authentication in Radiator
> • From: Hugh Irvine <hugh at xxxxxxxxxxx>
> • Date: Wed, 23 Feb 2005 09:00:22 +1100
> • Cc: Mike McCauley <mikem at xxxxxxxxxxx>, radiator at xxxxxxxxxxx
> • In-reply-to:
> <7CA73B1A82A7084DB06899DF9AD426940762EB at wed-ex1.wed.dresser.com>
> • List-id: <radiator.list-id.open.com.au>
> • References:
> <7CA73B1A82A7084DB06899DF9AD426940762EB at wed-ex1.wed.dresser.com>
> • Sender: owner-radiator at xxxxxxxxxxx
>
> size=2 width="100%" align=center>
>
>
> Hello Roman -
>
> In that case I would suggest you run Radiator on Windows and use the
> AuthBy LSA clause.
>
> Otherwise you will need to use ethereal (or similar) to watch the
> radius transactions to and from IAS then configure Radiator to do the
> same thing.
>
> I'm guessing that AuthBy LSA on Windows is the simpler option.
>
> regards
>
> Hugh
>
>
> On 23 Feb 2005, at 02:09, Jimenez, Roman wrote:
>
> The client is a symbol wireless switch ws-5000 and unfortunately there
> is
> not a lot of configuration I can change on it, just the ports it goes
> to for
> radius authentication. I has worked fine with a Microsoft IAS server
> but I
> would like to make it work with radiator, since until now Radiator has
> been
> our production radius server until now.
>
> I would appreciate any input from anybody who has worked with this
> kind of
> wireless switches.
>
> Thanks,
>
> Roman Jimenez
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at xxxxxxxxxxx]
> Sent: Monday, February 21, 2005 7:19 PM
> To: Jimenez, Roman
> Cc: Hugh Irvine; radiator at xxxxxxxxxxx
> Subject: Re: Fwd: (RADIATOR) Using AD authentication in Radiator
>
>
> Hello Roman,
>
>
> On Tuesday 22 February 2005 10:07, Hugh Irvine wrote:
>
>
> Begin forwarded message:
> From: "Jimenez, Roman" <roman.jimenez at xxxxxxxxxxxxxxxxxxxxxxxxxx>
> Date: 22 February 2005 01:13:13 GMT+11:00
> To: Hugh Irvine <hugh at xxxxxxxxxxx>
> Cc: radiator at xxxxxxxxxxx
> Subject: RE: (RADIATOR) Using AD authentication in Radiator
>
>
> Hugh,
> Thanks for the reply. I am including the log file and my
> configuration fiel as an attachment to this message. I hope that
> will give you an idea of what I am doing wrong.
>
>
> The problem here is that you are trying to get the users a password
> from AD
> using LDAP. It is not possible to do this (as far as we know: AD does
> not
> allow access to the users password by LDAP), so your LDAP query is not
> getting the users password, and therefore the MSCHAPV2 authentication
> is
> failing.
>
> If you intend to authenticate PEAP-MSCHAPV2 using AD, you will have to
> use
> AuthBy LSA, not AuthBy LDAP2. This in turn will limit you to running
> Radiator on Windows.
>
> The 'Access rejected for anonymous:' message is referring to the
> User-Name
> in the inner request. In fact, it is actually accessing the LDAP
> record for
> Roman.Jimenez, derived from the EAP identity of the inner request.
>
> BTW, it is unusual for the inner request to have user name of
> anonymous,
> while the outer has the users real name. What client are you using?
> Are you
> sure you have it configured correctly?
>
> Cheers.
>
>
>
>
> Thanks again,
>
>
> Roman Jimenez
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at xxxxxxxxxxx]
> Sent: Friday, February 18, 2005 11:36 PM
> To: Jimenez, Roman
> Cc: radiator at xxxxxxxxxxx
> Subject: Re: (RADIATOR) Using AD authentication in Radiator
>
>
>
> Hello Roman -
> EAP authentication comprises two stages - the first (outer request)
> for "anonymous" and a second (inner request) for the actual username.
>
>
> Have a look at the examples in "goodies/eap_*.cfg" in the Radiator
> 3.11 distribution.
>
>
> There may also be a problem with MS-CHAPv2, but I can't tell without
> seeing your configuration file and a more complete trace 4 debug.
>
>
> regards
>
> Hugh
>
> On 17 Feb 2005, at 21:52, Jimenez, Roman wrote:
>
> Hi all,
> I am trying to configure our Radiator server to authenticate
> against our Active Directory as an LDAP V.2. and I am getting an
> "access rejected for anonymous..." in the log fine. I am including
> an extract of the logs, it seems that the ldap query for the user
> comes back fine though. I would appreciate any help in resolving this
>
> issue:
>
>
> Thu Feb 17 12:33:48 2005: INFO: Connecting to 10.121.15.81, port
> 389
>
>
> Thu Feb 17 12:33:48 2005: INFO: Attempting to bind to LDAP server
> 10.121.15.81:389)
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got result for CN=Roman
> Jimenez,OU=X,,DC=y,DC=z,DC=com
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got objectClass: top person
> organizationalPerson user
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got cn: Roman Jimenez
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got description: IT
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got distinguishedName: CN=
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got instanceType: 4
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenCreated:
> 20041216181343.0Z
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenChanged:
> 20041216194601.0Z
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got displayName: Roman
> Jimenez
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got uSNCreated: 95721
>
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got memberOf: CN=
> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got userPrincipalName:
> Roman.Jimenez
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with Roman.Jimenez
>
>
> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Thu Feb 17 12:33:48 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
>
>
> Thu Feb 17 12:33:48 2005: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
>
>
> Roman Jimenez
>
>
>
> NB:
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
> NB:
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Mike McCauley mikem at xxxxxxxxxxx
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at xxxxxxxxxxx
> To unsubscribe, email 'majordomo at xxxxxxxxxxx' with
> 'unsubscribe radiator' in the body of the message.
> size=2 width="100%" align=center>
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list