(RADIATOR) EAP and LDAP

Jim Michael JMichael at chesterfield.mo.us
Wed Jun 8 14:07:07 CDT 2005 

Chris, I haven't been paying attention to this thread... what LDAP directory were you trying against? We use eDirectory here and Radiator does EAP-TTLS/PAP (via Funk Odyssey client) perfectly.

Jim

>>> On 6/8/2005 at 11:19:12 am, Chris Hills <chills at ne-worcs.ac.uk> wrote:
> I've decided to change my tack and use the nt passwords stored in ldap. 
> I have changed my configuration as follows:-
> 
> <Realm ne-worcs.ac.uk>
> 
>         RewriteUsername s/^(.*)\@.*/$1/
> 
>         <AuthBy LDAP2>
> 
>                 Host xxx
> 
>                 BaseDN o=NEW College,c=UK
>                 AuthDN xxx,o=NEW College,c=UK
>                 AuthPassword xxx
> 
>                 UsernameAttr uid
>                 PasswordAttr ntPassword
> 
>                 PostSearchHook sub {my $ntpassword = 
> $_[3]->get_check->get_attr('User-Password'); 
> $_[3]->get_check->change_attr('User-Password', "{nthash}$ntpassword");}
> 
> 
>                 EAPType MSCHAP-V2
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
>                 EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
>                 EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem
> 
>                 AutoMPPEKeys
> 
>                 Debug 255
> 
>         </AuthBy>
> 
>         AcctLogFileName %L/detail.ne-worcs.ac.uk
> </Realm>
> 
> Now that I have discovered radpwtst (oops), I get the following output, 
> with -mschapv2:-
> 
> Wed Jun  8 17:10:25 2005: DEBUG: Handling request with Handler 
> 'Realm=ne-worcs.ac.uk'
> Wed Jun  8 17:10:25 2005: DEBUG: Rewrote user name to testuser
> Wed Jun  8 17:10:25 2005: DEBUG:  Deleting session for 
> testuser at ne-worcs.ac.uk, 203.63.154.1, 1234
> Wed Jun  8 17:10:25 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jun  8 17:10:25 2005: INFO: Connecting to xxx port 389
> Wed Jun  8 17:10:25 2005: INFO: Attempting to bind to LDAP server xxx:389
> Wed Jun  8 17:10:25 2005: DEBUG: LDAP got result for 
> uid=testuser,xxx,o=NEW College,c=UK
> Wed Jun  8 17:10:25 2005: DEBUG: LDAP got ntPassword: 
> E5810F3C99AE2ABB2232ED8458A61309
> Wed Jun  8 17:10:25 2005: DEBUG: Radius::AuthLDAP2 looks for match with 
> studentuser
> Wed Jun  8 17:10:25 2005: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Wed Jun  8 17:10:26 2005: INFO: Access rejected for testuser: Bad Password
> 
> I set the password to 'asdf' for the purpose of testing, and I am sure 
> it is correct in both ldap and radpwtst. So it seems it is not working 
> either.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list