Fwd: (RADIATOR) Auth against ActiveDirectory w/TLS (radiator on Linux)

Mike McCauley mikem at open.com.au
Wed Jul 27 20:28:07 CDT 2005


Hello Andrew,


> Begin forwarded message:
> > From: Andrew Fort <afort at choqolat.org>
> > Date: 27 July 2005 14:35:44 GMT+10:00
> > To: radiator at open.com.au
> > Subject: (RADIATOR) Auth against ActiveDirectory w/TLS (radiator on
> > Linux)
> >
> >
> > Hi folks,
> >
> > I'm trying to get radiator authenticating against AD via <AuthBy
> > LDAP2>.  This works fine, although I found that with AD on Windows
> > 2003 Server I could only get the AuthDN to work properly by using
> > simply:
> >
> > AuthDN blah at corp.domain.com
> > AuthPassword blah'spassword
> >
> > Using an LDAP search path in there I couldn't the thing to bind to
> > the LDAP server.
> >
> > Anyhow, that works.  But my problem is I can't figure out how to
> > use TLS/SSL.
> >
> > It seems you need to have three things:  a CA Client Certificate, a
> > CA Client Key, and a CA Certificate.
Correct.

> >
> > Anyone who has been through this process, can you tell me where to
> > export these from on the Windows side off the top of your head? (or
> > some rough guides).  I have exported a key from the /certsrv/
> > webserver on the CA, I believe this is the CA Certificate?  How do
> > I create the other two (presumably they are for my user
> > "blah at corp.domain.com")?
> >
> > Sorry to ask a vague question that is not actually a Radiator
> > problem, but a few days of searching around hasn't helped.  The
> > windows admins here haven't yet been able to assist, either...

You can export the CA root certificate with the following steps:

Create a certificate management console:
1. Start->Run mmc
2. File->Add/Remove Snap-in
3. Click on Add
4. Select 'Certificates'
5. Click on Add
6. Select 'Computer account', Next
7. Select 'Local computer'
8. Finish
9. Close.
10. OK.

In the MMC, which now has the Certificate Management snapin installed.
1. Select 'Certificates (Local Computer)'
2. Select 'Personal'
3. Select 'Certificates'
4. Right click on the CA root certificate name, All Tasks->Export....
5. Export wizard will appear, Next.
6. Select 'No, do not export the private key', Next.
7. Select 'DER encoded binary'
8. Input a file name (windows will add a .cer extension to whatever you type)
9. Next
10. Finish

Result will be a DER encoded root certificate, with a '.cer' filename 
extension.

You should be able to follow a similar procedure to export the client 
certificate+private key after the client certificate has been issued.


> >
> > Cheers,
> > Andrew Fort
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list