(RADIATOR) Using AD authentication in Radiator
Hugh Irvine
hugh at open.com.au
Tue Feb 22 16:00:22 CST 2005
Hello Roman -
In that case I would suggest you run Radiator on Windows and use the
AuthBy LSA clause.
Otherwise you will need to use ethereal (or similar) to watch the
radius transactions to and from IAS then configure Radiator to do the
same thing.
I'm guessing that AuthBy LSA on Windows is the simpler option.
regards
Hugh
On 23 Feb 2005, at 02:09, Jimenez, Roman wrote:
> The client is a symbol wireless switch ws-5000 and unfortunately there
> is
> not a lot of configuration I can change on it, just the ports it goes
> to for
> radius authentication. I has worked fine with a Microsoft IAS server
> but I
> would like to make it work with radiator, since until now Radiator has
> been
> our production radius server until now.
>
> I would appreciate any input from anybody who has worked with this
> kind of
> wireless switches.
>
> Thanks,
>
> Roman Jimenez
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Monday, February 21, 2005 7:19 PM
> To: Jimenez, Roman
> Cc: Hugh Irvine; radiator at open.com.au
> Subject: Re: Fwd: (RADIATOR) Using AD authentication in Radiator
>
> Hello Roman,
>
>
> On Tuesday 22 February 2005 10:07, Hugh Irvine wrote:
>
>>
>> Begin forwarded message:
>>> From: "Jimenez, Roman" <roman.jimenez at waukeshaengine.dresser.com>
>>> Date: 22 February 2005 01:13:13 GMT+11:00
>>> To: Hugh Irvine <hugh at open.com.au>
>>> Cc: radiator at open.com.au
>>> Subject: RE: (RADIATOR) Using AD authentication in Radiator
>>>
>>> Hugh,
>>> Thanks for the reply. I am including the log file and my
>>> configuration fiel as an attachment to this message. I hope that
>>> will give you an idea of what I am doing wrong.
>
> The problem here is that you are trying to get the users a password
> from AD
> using LDAP. It is not possible to do this (as far as we know: AD does
> not
> allow access to the users password by LDAP), so your LDAP query is not
> getting the users password, and therefore the MSCHAPV2 authentication
> is
> failing.
>
> If you intend to authenticate PEAP-MSCHAPV2 using AD, you will have to
> use
> AuthBy LSA, not AuthBy LDAP2. This in turn will limit you to running
> Radiator on Windows.
>
> The 'Access rejected for anonymous:' message is referring to the
> User-Name
> in the inner request. In fact, it is actually accessing the LDAP
> record for
> Roman.Jimenez, derived from the EAP identity of the inner request.
>
> BTW, it is unusual for the inner request to have user name of
> anonymous,
> while the outer has the users real name. What client are you using?
> Are you
> sure you have it configured correctly?
>
> Cheers.
>
>
>>>
>>> Thanks again,
>>>
>>>
>>> Roman Jimenez
>>>
>>>
>>> -----Original Message-----
>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>> Sent: Friday, February 18, 2005 11:36 PM
>>> To: Jimenez, Roman
>>> Cc: radiator at open.com.au
>>> Subject: Re: (RADIATOR) Using AD authentication in Radiator
>>>
>>>
>>> Hello Roman -
>>>
>>> EAP authentication comprises two stages - the first (outer request)
>>> for "anonymous" and a second (inner request) for the actual username.
>>>
>>> Have a look at the examples in "goodies/eap_*.cfg" in the Radiator
>>> 3.11 distribution.
>>>
>>> There may also be a problem with MS-CHAPv2, but I can't tell without
>>> seeing your configuration file and a more complete trace 4 debug.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>> On 17 Feb 2005, at 21:52, Jimenez, Roman wrote:
>>>> Hi all,
>>>> I am trying to configure our Radiator server to authenticate
>>>> against our Active Directory as an LDAP V.2. and I am getting an
>>>> "access rejected for anonymous..." in the log fine. I am including
>>>> an extract of the logs, it seems that the ldap query for the user
>>>> comes back fine though. I would appreciate any help in resolving
>>>> this
> issue:
>>>>
>>>>
>>>> Thu Feb 17 12:33:48 2005: INFO: Connecting to 10.121.15.81, port
>>>> 389
>>>>
>>>> Thu Feb 17 12:33:48 2005: INFO: Attempting to bind to LDAP server
>>>> 10.121.15.81:389)
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got result for CN=Roman
>>>> Jimenez,OU=X,,DC=y,DC=z,DC=com
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got objectClass: top person
>>>> organizationalPerson user
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got cn: Roman Jimenez
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got description: IT
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got distinguishedName: CN=
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got instanceType: 4
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenCreated:
>>>> 20041216181343.0Z
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got whenChanged:
>>>> 20041216194601.0Z
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got displayName: Roman
>>>> Jimenez
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got uSNCreated: 95721
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got memberOf: CN=
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: LDAP got userPrincipalName:
>>>> Roman.Jimenez
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 looks for match
>>>> with Roman.Jimenez
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>>
>>>> Thu Feb 17 12:33:48 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
>>>> Authentication failure
>>>>
>>>> Thu Feb 17 12:33:48 2005: INFO: Access rejected for anonymous: EAP
>>>> MSCHAP-V2 Authentication failure
>>>>
>>>>
>>>> Roman Jimenez
>>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list