(RADIATOR) TTLS + LDAP2+ Active Directory
Hugh Irvine
hugh at open.com.au
Fri Jan 7 22:41:17 CST 2005
Hello Angelo -
There is an example configuration file in "goodies/ad-ladp.cfg" - you
should try using port 3268.
You should also try using an LDAP client to connect to your AD server
to verify that the AuthDN and AuthPassword allow you connect properly.
BTW - an alternative is to run a copy of Radiator on the Windows host
and proxy the radius requests from the FreeBSD box to the Windows box.
regards
Hugh
On 8 Jan 2005, at 05:27, Ângelo Rodrigues wrote:
>
> Hi,
>
> I have a FreeBSD 4.10 running a Radiator 3.9 to authenticate
> our Cisco Catalyst 3550 users (802.1x + eap-ttls). Our authentication
> method is "AuthBy FILE" and (until now) everything seems to work fine.
>
> Now, I'm trying to config our Radiator to validate all password
> against a Windows 2003 Active Directory. Since "AuthBy ADSI"
> doesn't work in unix systems, I'm using "AuthBy LDAP2"
> to replace ADSI features but, it doesn't seems to work.
>
> I've tried a lot of configurations but all without sucess :(((
>
> Any ideias ?
>
> Thanks :)
>
> Angelo R.
>
> My radius configuration:
> #########################################
> (...)
> <Client 192.168.0.50>
> Secret XXXXXX
> Identifier LocalUser
> </Client>
> (...)
> # Tunel TTLS
> <Handler TunnelledByTTLS=1, Realm = dominio.teste.org >
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy LDAP2>
> Host 192.168.0.1
> AuthDN
> cn=Administrator,ou=Users,dc=dominio,dc=teste,dc=org
> AuthPassword XXXXXX
> BaseDN ou=Users,dc=dominio,dc=teste,dc=org
> ServerChecksPassword
> UsernameAttr sAMAccountName
> AuthAttrDef logonHours,MS-Login-Hours,check
> </AuthBy>
> </Handler>
> <Handler Realm = /^dominio\.teste\.org$/ >
> <AuthBy FILE>
> EAPType PEAP, TTLS
> EAPTLS_CAFile /etc/radius/cert/demoCA/cacert.pem
> EAPTLS_CertificateFile /etc/radius/cert/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radius/cert/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> AuthLog localusers
> AcctLogFileName %L/local-detail.log
> AccountingHandled
> </Handler>
> #########################################
>
> Logs ouput:
> #########################################
> (...)
> Fri Jan 7 17:00:11 2005: DEBUG: Handling request with Handler 'Realm
> = /^dominio\.teste\.org$/'
> Fri Jan 7 17:00:11 2005: DEBUG: Deleting session for
> anonymous at dominio.teste.org, 192.168.0.50,
> Fri Jan 7 17:00:11 2005: DEBUG: Handling with Radius::AuthFILE:
> Fri Jan 7 17:00:11 2005: DEBUG: Handling with EAP: code 2, 6, 87
> Fri Jan 7 17:00:11 2005: DEBUG: Response type 21
> Fri Jan 7 17:00:11 2005: DEBUG: EAP TTLS inner authentication request
> for user3 at dominio.teste.org
> Fri Jan 7 17:00:11 2005: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <233>9<240><193>'<169>><219><238>.<221><239><168>^}<19>
> Attributes:
> User-Name = "user3 at dominio.teste.org"
> User-Password = "xxxxxx"
>
> Fri Jan 7 17:00:11 2005: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1, Realm = dominio.teste.org'
> Fri Jan 7 17:00:11 2005: DEBUG: Rewrote user name to user3
> Fri Jan 7 17:00:11 2005: DEBUG: Deleting session for
> user3 at dominio.teste.org, 192.168.0.50,
> Fri Jan 7 17:00:11 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Jan 7 17:00:11 2005: INFO: Connecting to 192.168.0.1, port 389
> Fri Jan 7 17:00:11 2005: INFO: Attempting to bind to LDAP server
> 192.168.0.1:389)
> Fri Jan 7 17:00:11 2005: ERR: Could not bind connection with
> cn=Administrator,ou=Users,dc=dominio,dc=teste,dc=org, XXXXXX,
> error: LDAP_INVALID_CREDENTIALS (server 192.168.0.1:389).
> Fri Jan 7 17:00:11 2005: ERR: Backing off from 192.168.0.1:389 for
> 600 seconds.
> Fri Jan 7 17:00:11 2005: DEBUG: EAP result: 2, EAP TTLS inner
> authentication redespatched to a Handler
> Fri Jan 7 17:00:16 2005: DEBUG: Packet dump:
> *** Received from 192.168.0.50 port 1812 ....
> Code: Access-Request
> Identifier: 85
> Authentic:
> l<237><25><135><142><233><184><165><18>i+<131>,<229><11><177>
> Attributes:
> NAS-IP-Address = 192.168.0.50
> NAS-Port-Type = Async
> User-Name = "anonymous at dominio.teste.org"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Calling-Station-Id = "00-06-5b-03-e0-b5"
> EAP-Message =
> <2><6><0>W<21><128><0><0><0>M<23><3><1><0>H<198><183><233><190>++K<149>
> v<m|LX <14><247><163>V<20>e<
> 249>b<155><162><30>,<169><21><12>6<141>&<236><30><136><154>j<255><197><
> 152><157><144>C<19><129><10><232><132><127>%<169>4
> R[<215>z<186>8[<4><215><195><28>3<156><24><161><212><255><135><157>
> Message-Authenticator =
> P<9><131><25>[~\<130><19><248><220><156><207>Ok
> (...)
> #########################################
>
> Angelo Rodrigues - amr at fccn.pt
> FCCN - Fundacao para a Computacao Cientifica Nacional
> Av. do Brasil, 101 1700-066 Lisboa - Portugal
> Tel: +351 218440100 Fax: +351 218472167
> ------------------------------------------------------------
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list