(RADIATOR) LSA and reply attributes

[Hugh Irvine]

Hello Christian -

A more elegant means of doing what you describe involves using  
cascaded AuthBy clauses - first a top-level AuthBy FILE clause with  
multiple DEFAULT entries, each one defining a different Group check.  
There are examples in the Radiator mailing list archive  
(www.open.com.au/archives/radiator).

regards

Hugh


On 17 Jun 2005, at 06:34, Christian Kratzer wrote:

> Hi Hugh,
>
> On Tue, 14 Jun 2005, Hugh Irvine wrote:
>
>>
>> Hello Jose -
>>
>> As the AuthBy LSA clause only does authentication, you will  
>> probably need to use an AuthBy LDAP clause as well to get the  
>> Profile attribute.
>>
>> Something like this:
>>
>>        AuthByPolicy ContinueAlways
>>
>>        <AuthBy LDAP2>
>>                # get the Profile attribute
>>                .....
>>        </AuthBy>
>>
>>        <AuthBy LSA>
>>                # do the authentication
>>                .....
>>        </AuthBy>
>>
>
>
> any idea what to do when using <AuthBy LSA> to authenticate from an  
> NT Domain and still do attribute assignment based on groups ?
>
> Using <AuthBY LDAP> wont work with NT 4.0 Domains.
>
> Using <AuthBY NT> wont work with CHAP.
>
> Based on your above example I thought of using something on the  
> order of:
>
>         AuthByPolicy ContinueAlways
>         <AuthBy LSA>
>                 .....
>         Group Administrators
>         AddToReply Class=VLAN1
>         </AuthBy>
>         <AuthBy LSA>
>                 .....
>         Group Domain Users
>         AddToReply Class=VLAN2
>         </AuthBy>
>         <AuthBy LSA>
>                 .....
>         Group Guests
>         AddToReply Class=VLAN-Guest
>         </AuthBy>
>
> Feels ugly to me but I am not sure if there is any other way with
> NT4.0 domains and CHAP ?
>
> We would of course have to get the patch for reversibly stored  
> passwords in NT4.0 to get chap to work at all.
>
> This is for a potential new radiator customer who wants to do eap auth
> from nt domains.  I had been thinking about it for a couple of days  
> when I saw the postings on the list ;-)
>
> Greetings
> Christian
>
> -- 
> Christian Kratzer                       ck at cksoft.de
> CK Software GmbH                        http://www.cksoft.de/
> Phone: +49 7452 889 135                 Fax: +49 7452 889 136
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.