(RADIATOR) authby LSA - active directory groups

DELORT Stephane Stephane.DELORT at murex.com
Tue Jun 21 03:36:24 CDT 2005 

Hello Mike,

Answering to your question, the test script printed out the user login. (ie: "myuser")


I took a look AuthLSA.pm and wrote some debug output.
I provided "myuser" as a login on the client side.

In CheckUserAttributes I have :
print "$user";      => "Radius::User=HASH(0x1c337f0)"
print "$userName";  => "anonymous"

In userIsInGroup :
print "$controller";   => "mypdc"
print "$group";        => "wireless"
print "$user";         => "anonymous"  (it should be "myuser" to be OK)

I guess that $user in CheckUserAttributes is the user namegiven to windows and cyphered to be MSCHAP-V2 compliant. (so decyphered it should be "myuser").

Right now, I don't now how to have the username in the clear for userIsInGroup (it would replace $user) but would work at it.

regards,
Stéphane




-----Message d'origine-----
De : Mike McCauley [mailto:mikem at open.com.au]
Envoyé : mardi 21 juin 2005 02:19
À : DELORT Stephane
Cc : radiator at open.com.au; ZOUAIN Fatek
Objet : Re: (RADIATOR) authby LSA - active directory groups


Hello Stephane,

when you run your test script, exactly what user name does it print out as 
belonging to the wireless group?

Radiator checks for group membership using just the user name without any 
associated domain.

Cheers.

On Monday 20 June 2005 23:56, DELORT Stephane wrote:
> I made some tests in order to round/solve the problem.
>
> Using the included script I can see that my user belongs to the wireless
> group. Radiator is not able to figure this out and still refuses to
> authenticate my user despite the wireless group is global. On my first mail
> I missed "DomainController mypdc" - updated below.
>
> Regards,
> Stéphane
>
>
> <script.pl>
> # the original script can be found at
> # http://www.xav.com/perl/site/lib/Win32/NetAdmin.html
>
>     use Win32::NetAdmin qw(GetUsers GroupIsMember
>                            UserGetAttributes UserSetAttributes);
>
>     my %hash;
>     GetUsers("mypdc", FILTER_NORMAL_ACCOUNT , \%hash)
>         or die "GetUsers() failed: $^E";
>
>     foreach (keys %hash) {
>         my ($password, $passwordAge, $privilege,
>             $homeDir, $comment, $flags, $scriptPath);
>         if (GroupIsMember("mypdc", "wireless", $_)) {
>             print "user $_ ($hash{$_}) belongs to wireless\n";
>         }
>     }
>
> </script.pl>
>
>
>
> -----Message d'origine-----
> De : owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]De la
> part de DELORT Stephane
> Envoyé : lundi 20 juin 2005 11:49
> À : radiator at open.com.au
> Cc : ZOUAIN Fatek
> Objet : (RADIATOR) authby LSA - active directory groups
>
>
> Dear list members,
>
> I am currently using radiator with PEAP and MSCHAP-V2, authenticating
> against AD. I would like to use the group feature of LSA but I do not know
> how to make it work.
>
> Following the reference manual, I have in my config file :
>
> ...
> <Handler TunneledByPeap=1>
> 	<AuthBy LSA>
> 		Domain mydomain.com
> 		EAPType MSCHAP-V2
> 		Group wireless
> 		#also tried "Group Domain wireless"
> 		DomainController mypdc
> 	</AuthBy LSA>
> </Handler>
>
>
> In the log file, radiator recorded :
> ...
> Raduis::AuthLSA REJECT, AuthBy LSA User is not a member of any group
> ...
>
> The problem is that my user IS a member of the wireless group !
>
> Did anyone tried this feature ?
>
> Kind regards,
> Stéphane
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list