Fwd: (RADIATOR) Using AD authentication in Radiator
Mike McCauley
mikem at open.com.au
Mon Feb 21 19:19:16 CST 2005
Hello Roman,
On Tuesday 22 February 2005 10:07, Hugh Irvine wrote:
>
> Begin forwarded message:
> > From: "Jimenez, Roman" <roman.jimenez at waukeshaengine.dresser.com>
> > Date: 22 February 2005 01:13:13 GMT+11:00
> > To: Hugh Irvine <hugh at open.com.au>
> > Cc: radiator at open.com.au
> > Subject: RE: (RADIATOR) Using AD authentication in Radiator
> >
> > Hugh,
> > Thanks for the reply. I am including the log file and my configuration
> > fiel
> > as an attachment to this message. I hope that will give you an idea of
> > what
> > I am doing wrong.
The problem here is that you are trying to get the users a password from AD
using LDAP. It is not possible to do this (as far as we know: AD does not
allow access to the users password by LDAP), so your LDAP query is not
getting the users password, and therefore the MSCHAPV2 authentication is
failing.
If you intend to authenticate PEAP-MSCHAPV2 using AD, you will have to use
AuthBy LSA, not AuthBy LDAP2. This in turn will limit you to running Radiator
on Windows.
The 'Access rejected for anonymous:' message is referring to the User-Name in
the inner request. In fact, it is actually accessing the LDAP record for
Roman.Jimenez, derived from the EAP identity of the inner request.
BTW, it is unusual for the inner request to have user name of anonymous, while
the outer has the users real name. What client are you using? Are you sure
you have it configured correctly?
Cheers.
> >
> > Thanks again,
> >
> >
> > Roman Jimenez
> >
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Friday, February 18, 2005 11:36 PM
> > To: Jimenez, Roman
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Using AD authentication in Radiator
> >
> >
> > Hello Roman -
> >
> > EAP authentication comprises two stages - the first (outer request) for
> > "anonymous" and a second (inner request) for the actual username.
> >
> > Have a look at the examples in "goodies/eap_*.cfg" in the Radiator 3.11
> > distribution.
> >
> > There may also be a problem with MS-CHAPv2, but I can't tell without
> > seeing
> > your configuration file and a more complete trace 4 debug.
> >
> > regards
> >
> > Hugh
> >
> > On 17 Feb 2005, at 21:52, Jimenez, Roman wrote:
> >> Hi all,
> >> I am trying to configure our Radiator server to authenticate against
> >> our Active Directory as an LDAP V.2. and I am getting an "access
> >> rejected for anonymous..." in the log fine. I am including an extract
> >> of the logs, it seems that the ldap query for the user comes back fine
> >> though. I would appreciate any help in resolving this issue:
> >>
> >>
> >> Thu Feb 17 12:33:48 2005: INFO: Connecting to 10.121.15.81, port 389
> >>
> >> Thu Feb 17 12:33:48 2005: INFO: Attempting to bind to LDAP server
> >> 10.121.15.81:389)
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got result for CN=Roman
> >> Jimenez,OU=X,,DC=y,DC=z,DC=com
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got objectClass: top person
> >> organizationalPerson user
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got cn: Roman Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got description: IT
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got distinguishedName: CN=
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got instanceType: 4
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenCreated:
> >> 20041216181343.0Z
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenChanged:
> >> 20041216194601.0Z
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got displayName: Roman Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got uSNCreated: 95721
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got memberOf: CN=
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got userPrincipalName:
> >> Roman.Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 looks for match
> >> with Roman.Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
> >> Authentication failure
> >>
> >> Thu Feb 17 12:33:48 2005: INFO: Access rejected for anonymous: EAP
> >> MSCHAP-V2 Authentication failure
> >>
> >>
> >> Roman Jimenez
> >>
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together
> > with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list