(RADIATOR) LSA and reply attributes
Jose Maria Fernandez
chema at uniovi.es
Thu Jun 16 06:01:48 CDT 2005
Hugh Irvine escribió:
>
> Hello Jose -
>
> You can add "NoEAP" to the AuthBy LDAP2 clause.
>
> It would probably also make sense to use two separate Handlers as
> shown in some of the examples in "goodies/eap_*.cfg".
>
> regards
>
> Hugh
>
>
> On 15 Jun 2005, at 22:58, Jose Maria Fernandez wrote:
>
>> Hugh Irvine escribió:
>>
>>
>>>
>>> Hello Jose -
>>>
>>> As the AuthBy LSA clause only does authentication, you will
>>> probably need to use an AuthBy LDAP clause as well to get the
>>> Profile attribute.
>>>
>>> Something like this:
>>>
>>> AuthByPolicy ContinueAlways
>>>
>>> <AuthBy LDAP2>
>>> # get the Profile attribute
>>> .....
>>> </AuthBy>
>>>
>>> <AuthBy LSA>
>>> # do the authentication
>>> .....
>>> </AuthBy>
>>>
>>>
>>> hope that helps
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 14 Jun 2005, at 20:00, Jose Maria Fernandez wrote:
>>>
>>>
>>>> Hi all,
>>>>
>>>> Does anybody know how can I send reply attributes using Authby LSA?.
>>>> We have an extended schema in AD, and one of the extended
>>>> attributes is a Profile attribute. We like to use this attribute
>>>> to return a reply attribute Class, in order to assign IPs, Vlans,
>>>> etc in our NASs. We know it is posible using LDAP authentication,
>>>> SQL authentication, but we want to use TTLS (PAP/ TTLS, no problem
>>>> with LDAP) and PEAP too. The best way to use PEAP is Authby LSA,
>>>> but how about reply attributes...?
>>>>
>>>> Thanks in advance,
>>>>
>>>> Jose Maria Fernandez
>>>> Universidad de Oviedo
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/
>>> archives/ radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>>
>> Hello Hugh,
>>
>> I was trying to do it the way you say, but the problem i found is
>> that the Access-Request is using EAP.
>> If I use the authby method in the way you said, the LDAP doesn´t
>> accept the packet. If I do first the LSA, it finds the EAP and
>> instead the call again the handler to process the inner method, it
>> continues with LDAP2, and the reject occurs again. In LDAP2, i use
>> the parameter.
>> Do you know how can I do it?.
>>
>> Thanks in advance,
>>
>> Jose Maria Fernandez
>> Universidad de Oviedo
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
Hi Hugh...
I becoming crazy... I tried so many configurations and no results. Maybe
there is no way to get the solution we need, maybe (the most probably)
I´m doing too mistakes. I revised the "goodies/eap_*.cfg" several times
and tried some solutions. No result.
We need to authenticate PEAP ( with MSCHAPV2, to support native windows
clients) and PAP/TTLS. Our users are in Active Directory, with and
expanded schema (several attributes, but the most important for it is
UOPerfil, a profile referred to the type of user).
We want to account to MySQL (no problem, it works). Depending on the
attribute value, we want to send reply attributes, like Class and IP
address.
We tested Authby SQL (to account) and Authby LSA (to authenticate)
alone, and both worked together very well. We was able to authenticate
PEAP,TTLS, and MSCHAPV2 with no problem (one Authby and many types of
authentication methods, excellent..).
Our problems begin when we try to catch other attributes (the UOPerfil
I mentioned before) to return reply attributes.
We tried several configs, but no way to do this.
Could you please take a look to the following config, and show me the
lights?...What are our mistakes?... Are we too silly to configure
Radiator?...
Feel free to say what you want, no problem ... Thanks a lot, and sorry
for waste your time.
The config is the following (its only PEAP active, no TTLS):
# $Id: lsa_eap_multi.cfg,v 1.1 2005/02/03 22:36:10 mikem Exp $
Foreground
LogStdout
LogDir c:/Program Files/Radiator
DbDir c:/Program Files/Radiator
# User a lower trace level in production systems:
Trace 4
<Client DEFAULT>
Secret XXXXXXXXX
DupInterval 0
</Client>
<SessionDatabase SQL>
Identifier SQLSession
DBSource dbi:mysql:radius
DBUsername radiusacct
DBAuth XXXXXXXX
</SessionDatabase>
<AuthBy SQL>
Identifier SQLAccounting
DBSource dbi:mysql:radius
DBUsername radiusacct
DBAuth XXXXXXXX
#Clausula vacia para que no autentique
AuthSelect
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctFailedLogFileName c:/Program Files/Radiator/missedaccounting
SQLRecoveryFile c:/Program Files/Radiator/missedaccounting
</AuthBy>
<AddressAllocator SQL>
Identifier myallocator
DBSource dbi:mysql:radius
DBUsername radiusacct
DBAuth XXXXXXXX
#DefaultLeasePeriod 86400
#LeaseReclaimInterval 86400
<AddressPool PAS>
Subnetmask 255.255.255.0
Range 172.16.1.1 172.16.1.50
</AddressPool>
<AddressPool PDI>
Subnetmask 255.255.255.0
Range 172.16.1.60 172.16.1.120
</AddressPool>
</AddressAllocator>
<AuthBy DYNADDRESS>
Identifier Direcciones
AddressAllocator myallocator
PoolHint %{Reply:Class}
MapAttribute yiaddr, Framed-IP-Address
MapAttribute subnetmask, Framed-IP-Netmask
</AuthBy>
<AuthBy LSA>
Identifier LSAAuthentication
Domain
DefaultDomain
# EAPType PEAP, TTLS, MSCHAP-V2
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile %D/certificates/random
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
<AuthBy LSA>
Identifier LSAInner
Domain
DefaultDomain
EAPType MSCHAP-V2
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile %D/certificates/random
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
<AuthBy LDAP2>
Identifier LDAPAttributes
Host localhost
AuthDN cn=Administrador,cn=Users,dc=ident,dc=uniovi,dc=es
AuthPassword XXXXXXX
# Scope subtree
BaseDN dc=ident,dc=uniovi,dc=es
UsernameAttr cn
# PasswordAttr userPassword
NoCheckPassword
AuthAttrDef UOPerfil,Class,reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
Debug 255
Version 3
NoEAP
</AuthBy>
<StatsLog FILE>
# Interval 2
# Filename -
Format %0:%1:%2:%23:%6:%3:%5
Header
</StatsLog>
<Handler TunnelledByPEAP=1>
AuthByPolicy ContinueWhileAccept
AuthBy LSAInner
# AuthBy LDAPAttributes
# AuthBy Direcciones
# SessionDatabase SQLSession
</Handler>
# <Handler TunnelledByTTLS=1>
# AuthByPolicy ContinueWhileAccept
# AuthBy LDAPAttributes
# AuthBy LSAInner
# AuthBy Direcciones
# SessionDatabase SQLSession
# </Handler>
<Handler>
AuthByPolicy ContinueAlways
AuthBy SQLAccounting
AuthBy LDAPAttributes
AuthBy LSAAuthentication
AuthBy Direcciones
SessionDatabase SQLSession
</Handler>
Thanks again,
Jose Maria Fernandez
Universidad de Oviedo
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list