Fwd: (RADIATOR) Using AD authentication in Radiator

Jimenez, Roman roman.jimenez at waukeshaengine.dresser.com
Tue Feb 22 09:09:42 CST 2005 

The client is a symbol wireless switch ws-5000 and unfortunately there is
not a lot of configuration I can change on it, just the ports it goes to for
radius authentication. I has worked fine with a Microsoft IAS server but I
would like to make it work with radiator, since until now Radiator has been
our production radius server until now. 

I would appreciate any input from anybody who has worked with this kind of
wireless switches.

Thanks,

Roman Jimenez
 

-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: Monday, February 21, 2005 7:19 PM
To: Jimenez, Roman
Cc: Hugh Irvine; radiator at open.com.au
Subject: Re: Fwd: (RADIATOR) Using AD authentication in Radiator

Hello Roman,


On Tuesday 22 February 2005 10:07, Hugh Irvine wrote:

>
> Begin forwarded message:
> > From: "Jimenez, Roman" <roman.jimenez at waukeshaengine.dresser.com>
> > Date: 22 February 2005 01:13:13 GMT+11:00
> > To: Hugh Irvine <hugh at open.com.au>
> > Cc: radiator at open.com.au
> > Subject: RE: (RADIATOR) Using AD authentication in Radiator
> >
> > Hugh,
> > Thanks for the reply. I am including the log file and my 
> > configuration fiel as an attachment to this message. I hope that 
> > will give you an idea of what I am doing wrong.

The problem here is that you are trying to get the users a password from AD
using LDAP. It is not possible to do this (as far as we know: AD does not
allow access to the users password by LDAP), so your LDAP query is not
getting the users password, and therefore the MSCHAPV2 authentication is
failing.

If you intend to authenticate PEAP-MSCHAPV2 using AD, you will have to use
AuthBy LSA, not AuthBy LDAP2. This in turn will limit you to running
Radiator on Windows.

The 'Access rejected for anonymous:' message is referring to the User-Name
in the inner request. In fact, it is actually accessing the LDAP record for
Roman.Jimenez, derived from the EAP identity of the inner request.

BTW, it is unusual for the inner request to have user name of anonymous,
while the outer has the users real name. What client are you using? Are you
sure you have it configured correctly?

Cheers.


> >
> > Thanks again,
> >
> >
> > Roman Jimenez
> >
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Friday, February 18, 2005 11:36 PM
> > To: Jimenez, Roman
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Using AD authentication in Radiator
> >
> >
> > Hello Roman -
> >
> > EAP authentication comprises two stages - the first (outer request) 
> > for "anonymous" and a second (inner request) for the actual username.
> >
> > Have a look at the examples in "goodies/eap_*.cfg" in the Radiator 
> > 3.11 distribution.
> >
> > There may also be a problem with MS-CHAPv2, but I can't tell without 
> > seeing your configuration file and a more complete trace 4 debug.
> >
> > regards
> >
> > Hugh
> >
> > On 17 Feb 2005, at 21:52, Jimenez, Roman wrote:
> >> Hi all,
> >> I am trying to configure our Radiator server to authenticate 
> >> against our Active Directory as an LDAP V.2. and I am getting an 
> >> "access rejected for anonymous..." in the log fine. I am including 
> >> an extract of the logs, it seems that the ldap query for the user 
> >> comes back fine though. I would appreciate any help in resolving this
issue:
> >>  
> >>
> >> Thu Feb 17 12:33:48 2005: INFO: Connecting to 10.121.15.81, port 
> >> 389
> >>
> >> Thu Feb 17 12:33:48 2005: INFO: Attempting to bind to LDAP server
> >> 10.121.15.81:389)
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got result for CN=Roman 
> >> Jimenez,OU=X,,DC=y,DC=z,DC=com
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got objectClass: top person 
> >> organizationalPerson user
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got cn: Roman Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got description: IT
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got distinguishedName: CN=
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got instanceType: 4
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenCreated:
> >> 20041216181343.0Z
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenChanged:
> >> 20041216194601.0Z
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got displayName: Roman 
> >> Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got uSNCreated: 95721
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got memberOf: CN=
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got userPrincipalName:
> >> Roman.Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 looks for match 
> >> with Roman.Jimenez
> >>
> >> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> >>
> >>  Thu Feb 17 12:33:48 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2 
> >> Authentication failure
> >>
> >> Thu Feb 17 12:33:48 2005: INFO: Access rejected for anonymous: EAP
> >> MSCHAP-V2 Authentication failure
> >>  
> >>  
> >> Roman Jimenez
> >>  
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive 
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets), 
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server 
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible, 
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive 
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets), 
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server 
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible, 
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list