(RADIATOR) EAP and LDAP

Chris Hills chills at ne-worcs.ac.uk
Wed Jun 8 11:19:12 CDT 2005 

I've decided to change my tack and use the nt passwords stored in ldap. 
I have changed my configuration as follows:-

<Realm ne-worcs.ac.uk>

        RewriteUsername s/^(.*)\@.*/$1/

        <AuthBy LDAP2>

                Host xxx

                BaseDN o=NEW College,c=UK
                AuthDN xxx,o=NEW College,c=UK
                AuthPassword xxx

                UsernameAttr uid
                PasswordAttr ntPassword

                PostSearchHook sub {my $ntpassword = 
$_[3]->get_check->get_attr('User-Password'); 
$_[3]->get_check->change_attr('User-Password', "{nthash}$ntpassword");}


                EAPType MSCHAP-V2
                EAPTLS_CertificateType PEM
                EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
                EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
                EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem

                AutoMPPEKeys

                Debug 255

        </AuthBy>

        AcctLogFileName %L/detail.ne-worcs.ac.uk
</Realm>

Now that I have discovered radpwtst (oops), I get the following output, 
with -mschapv2:-

Wed Jun  8 17:10:25 2005: DEBUG: Handling request with Handler 
'Realm=ne-worcs.ac.uk'
Wed Jun  8 17:10:25 2005: DEBUG: Rewrote user name to testuser
Wed Jun  8 17:10:25 2005: DEBUG:  Deleting session for 
testuser at ne-worcs.ac.uk, 203.63.154.1, 1234
Wed Jun  8 17:10:25 2005: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jun  8 17:10:25 2005: INFO: Connecting to xxx port 389
Wed Jun  8 17:10:25 2005: INFO: Attempting to bind to LDAP server xxx:389
Wed Jun  8 17:10:25 2005: DEBUG: LDAP got result for 
uid=testuser,xxx,o=NEW College,c=UK
Wed Jun  8 17:10:25 2005: DEBUG: LDAP got ntPassword: 
E5810F3C99AE2ABB2232ED8458A61309
Wed Jun  8 17:10:25 2005: DEBUG: Radius::AuthLDAP2 looks for match with 
studentuser
Wed Jun  8 17:10:25 2005: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Wed Jun  8 17:10:26 2005: INFO: Access rejected for testuser: Bad Password

I set the password to 'asdf' for the purpose of testing, and I am sure 
it is correct in both ldap and radpwtst. So it seems it is not working 
either.

-- 
Chris Hills
IT Services
North East Worcestershire College

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list