(RADIATOR) EAP-TTLS and LDAP Success
Hugh Irvine
hugh at open.com.au
Fri Jun 10 19:19:08 CDT 2005
Hello Chris -
Many thanks for letting us know.
regards
Hugh
On 10 Jun 2005, at 19:18, Chris Hills wrote:
> Hi
>
> I have finally gotten Radiator to authenticate against LDAP using
> EAP-TTLS. Please see the configuration below and a log excerpt.
>
> <Realm ne-worcs.ac.uk>
> <AuthBy LDAP2>
>
> Identifier CheckLDAP
>
> Host xxx
>
> BaseDN o=NEW College,c=UK
> AuthDN uid=xxx
> AuthPassword xxx
>
> UsernameAttr mail
> PasswordAttr ntPassword
>
> PostSearchHook sub {my $ntpassword = $_[3]->get_check-
> >get_attr('User-Password'); $_[3]->get_check->change_attr('User-
> Password', "{nthash}$ntpassword");}
>
> EAPType PEAP,TTLS,MSCHAP-V2
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
> EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
> EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem
>
> AutoMPPEKeys
>
> Debug 255
>
> </AuthBy>
> </Realm>
>
> <Handler TunnelledByTTLS=1>
> AuthBy CheckLDAP
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> AuthBy CheckLDAP
> </Handler>
>
>
>
>
>
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,
> EAP PEAP Challenge
> Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for anonymous:
> EAP PEAP Challenge
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP TTLS inner
> authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,
> EAP TTLS inner authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for xxx at ne-
> worcs.ac.uk: EAP TTLS inner authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler
> 'Realm=ne-worcs.ac.uk'
> Fri Jun 10 10:05:59 2005: DEBUG: Deleting session for xxx at ne-
> worcs.ac.uk, 172.18.100.14, 238
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 6, 79
> Fri Jun 10 10:05:59 2005: DEBUG: Response type 21
> Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS data, 3, 6, 5
> Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS inner authentication
> request for anonymous
> Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1'
> Fri Jun 10 10:05:59 2005: DEBUG: Deleting session for anonymous,
> 172.18.100.14,
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 1, 6
> Fri Jun 10 10:05:59 2005: DEBUG: Response type 3
> Fri Jun 10 10:05:59 2005: INFO: EAP Nak desires type 26
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP MSCHAP-V2
> Challenge
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,
> EAP MSCHAP-V2 Challenge
> Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for anonymous:
> EAP MSCHAP-V2 Challenge
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP TTLS inner
> authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,
> EAP TTLS inner authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for xxx at ne-
> worcs.ac.uk: EAP TTLS inner authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler
> 'Realm=ne-worcs.ac.uk'
> Fri Jun 10 10:05:59 2005: DEBUG: Deleting session for xxx at ne-
> worcs.ac.uk, 172.18.100.14, 238
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 7, 151
> Fri Jun 10 10:05:59 2005: DEBUG: Response type 21
> Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS data, 3, 7, 6
> Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS inner authentication
> request for anonymous
> Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1'
> Fri Jun 10 10:05:59 2005: DEBUG: Deleting session for anonymous,
> 172.18.100.14,
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 2, 80
> Fri Jun 10 10:05:59 2005: DEBUG: Response type 26
> Fri Jun 10 10:05:59 2005: INFO: Connecting to xxx, port 389
> Fri Jun 10 10:05:59 2005: INFO: Attempting to bind to LDAP server
> xxx:389
> Fri Jun 10 10:05:59 2005: DEBUG: LDAP got result for xxx
> Fri Jun 10 10:05:59 2005: DEBUG: LDAP got ntPassword:
> BDCAD6C32FFE87F928E728F7E2
> Fri Jun 10 10:05:59 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with xxx at ne-worcs.ac.uk
> Fri Jun 10 10:05:59 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP MSCHAP V2
> Challenge: Success
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,
> EAP MSCHAP V2 Challenge: Success
> Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for anonymous:
> EAP MSCHAP V2 Challenge: Success
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP TTLS inner
> authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,
> EAP TTLS inner authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for xxx at ne-
> worcs.ac.uk: EAP TTLS inner authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler
> 'Realm=ne-worcs.ac.uk'
> Fri Jun 10 10:05:59 2005: DEBUG: Deleting session for xxx at ne-
> worcs.ac.uk, 172.18.100.14, 238
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 8, 79
> Fri Jun 10 10:05:59 2005: DEBUG: Response type 21
> Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS data, 3, 8, 7
> Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS inner authentication
> request for anonymous
> Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1'
> Fri Jun 10 10:05:59 2005: DEBUG: Deleting session for anonymous,
> 172.18.100.14,
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 3, 6
> Fri Jun 10 10:05:59 2005: DEBUG: Response type 26
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 0,
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Jun 10 10:05:59 2005: DEBUG: Access accepted for anonymous
> Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 0, EAP TTLS inner
> authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: ACCEPT, EAP
> TTLS inner authentication redespatched to a Handler
> Fri Jun 10 10:05:59 2005: DEBUG: Access accepted for xxx at ne-
> worcs.ac.uk
> Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler
> 'Realm=ne-worcs.ac.uk'
> Fri Jun 10 10:05:59 2005: DEBUG: Adding session for xxx at ne-
> worcs.ac.uk, 172.18.100.14, 238
> Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2:
> CheckLDAP
> Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Jun 10 10:05:59 2005: DEBUG: Accounting accepted
>
> I have tested this successfully with SecureW2 and Windows XP SP2
> (using PEAP-EAP-MSCHAPv2)
>
> Regards
>
> --
> Chris Hills
> IT Services
> North East Worcestershire College
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list