(RADIATOR) EAP and LDAP
Hugh Irvine
hugh at open.com.au
Wed Jun 8 16:26:31 CDT 2005
Hello Chris -
As mentioned previously you cannot do a RewriteUsername with MSCHAP-
V2, as the full username including realm is used in the authentication.
regards
Hugh
On 9 Jun 2005, at 02:19, Chris Hills wrote:
> I've decided to change my tack and use the nt passwords stored in
> ldap. I have changed my configuration as follows:-
>
> <Realm ne-worcs.ac.uk>
>
> RewriteUsername s/^(.*)\@.*/$1/
>
> <AuthBy LDAP2>
>
> Host xxx
>
> BaseDN o=NEW College,c=UK
> AuthDN xxx,o=NEW College,c=UK
> AuthPassword xxx
>
> UsernameAttr uid
> PasswordAttr ntPassword
>
> PostSearchHook sub {my $ntpassword = $_[3]-
> >get_check->get_attr('User-Password'); $_[3]->get_check->change_attr
> ('User-Password', "{nthash}$ntpassword");}
>
>
> EAPType MSCHAP-V2
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
> EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
> EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem
>
> AutoMPPEKeys
>
> Debug 255
>
> </AuthBy>
>
> AcctLogFileName %L/detail.ne-worcs.ac.uk
> </Realm>
>
> Now that I have discovered radpwtst (oops), I get the following
> output, with -mschapv2:-
>
> Wed Jun 8 17:10:25 2005: DEBUG: Handling request with Handler
> 'Realm=ne-worcs.ac.uk'
> Wed Jun 8 17:10:25 2005: DEBUG: Rewrote user name to testuser
> Wed Jun 8 17:10:25 2005: DEBUG: Deleting session for testuser at ne-
> worcs.ac.uk, 203.63.154.1, 1234
> Wed Jun 8 17:10:25 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jun 8 17:10:25 2005: INFO: Connecting to xxx port 389
> Wed Jun 8 17:10:25 2005: INFO: Attempting to bind to LDAP server
> xxx:389
> Wed Jun 8 17:10:25 2005: DEBUG: LDAP got result for
> uid=testuser,xxx,o=NEW College,c=UK
> Wed Jun 8 17:10:25 2005: DEBUG: LDAP got ntPassword:
> E5810F3C99AE2ABB2232ED8458A61309
> Wed Jun 8 17:10:25 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with studentuser
> Wed Jun 8 17:10:25 2005: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password
> Wed Jun 8 17:10:26 2005: INFO: Access rejected for testuser: Bad
> Password
>
> I set the password to 'asdf' for the purpose of testing, and I am
> sure it is correct in both ldap and radpwtst. So it seems it is not
> working either.
>
> --
> Chris Hills
> IT Services
> North East Worcestershire College
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list