(RADIATOR) authby LSA - active directory groups

Mike McCauley mikem at open.com.au
Tue Jun 21 04:05:11 CDT 2005 

Hello Stephane,

thanks for your note and the results of your investiagtions.
I see the problem now: its using the User-Name in the inner request instead of 
the EAP identity.
One way to fix this would be to specify

EAPAnonymous		%0

in the PEAP handler.

Cheers.


On Tuesday 21 June 2005 18:36, DELORT Stephane wrote:
> Hello Mike,
>
> Answering to your question, the test script printed out the user login.
> (ie: "myuser")
>
>
> I took a look AuthLSA.pm and wrote some debug output.
> I provided "myuser" as a login on the client side.
>
> In CheckUserAttributes I have :
> print "$user";      => "Radius::User=HASH(0x1c337f0)"
> print "$userName";  => "anonymous"
>
> In userIsInGroup :
> print "$controller";   => "mypdc"
> print "$group";        => "wireless"
> print "$user";         => "anonymous"  (it should be "myuser" to be OK)
>
> I guess that $user in CheckUserAttributes is the user namegiven to windows
> and cyphered to be MSCHAP-V2 compliant. (so decyphered it should be
> "myuser").
>
> Right now, I don't now how to have the username in the clear for
> userIsInGroup (it would replace $user) but would work at it.
>
> regards,
> Stéphane
>
>
>
>
> -----Message d'origine-----
> De : Mike McCauley [mailto:mikem at open.com.au]
> Envoyé : mardi 21 juin 2005 02:19
> À : DELORT Stephane
> Cc : radiator at open.com.au; ZOUAIN Fatek
> Objet : Re: (RADIATOR) authby LSA - active directory groups
>
>
> Hello Stephane,
>
> when you run your test script, exactly what user name does it print out as
> belonging to the wireless group?
>
> Radiator checks for group membership using just the user name without any
> associated domain.
>
> Cheers.
>
> On Monday 20 June 2005 23:56, DELORT Stephane wrote:
> > I made some tests in order to round/solve the problem.
> >
> > Using the included script I can see that my user belongs to the wireless
> > group. Radiator is not able to figure this out and still refuses to
> > authenticate my user despite the wireless group is global. On my first
> > mail I missed "DomainController mypdc" - updated below.
> >
> > Regards,
> > Stéphane
> >
> >
> > <script.pl>
> > # the original script can be found at
> > # http://www.xav.com/perl/site/lib/Win32/NetAdmin.html
> >
> >     use Win32::NetAdmin qw(GetUsers GroupIsMember
> >                            UserGetAttributes UserSetAttributes);
> >
> >     my %hash;
> >     GetUsers("mypdc", FILTER_NORMAL_ACCOUNT , \%hash)
> >         or die "GetUsers() failed: $^E";
> >
> >     foreach (keys %hash) {
> >         my ($password, $passwordAge, $privilege,
> >             $homeDir, $comment, $flags, $scriptPath);
> >         if (GroupIsMember("mypdc", "wireless", $_)) {
> >             print "user $_ ($hash{$_}) belongs to wireless\n";
> >         }
> >     }
> >
> > </script.pl>
> >
> >
> >
> > -----Message d'origine-----
> > De : owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]De la
> > part de DELORT Stephane
> > Envoyé : lundi 20 juin 2005 11:49
> > À : radiator at open.com.au
> > Cc : ZOUAIN Fatek
> > Objet : (RADIATOR) authby LSA - active directory groups
> >
> >
> > Dear list members,
> >
> > I am currently using radiator with PEAP and MSCHAP-V2, authenticating
> > against AD. I would like to use the group feature of LSA but I do not
> > know how to make it work.
> >
> > Following the reference manual, I have in my config file :
> >
> > ...
> > <Handler TunneledByPeap=1>
> > 	<AuthBy LSA>
> > 		Domain mydomain.com
> > 		EAPType MSCHAP-V2
> > 		Group wireless
> > 		#also tried "Group Domain wireless"
> > 		DomainController mypdc
> > 	</AuthBy LSA>
> > </Handler>
> >
> >
> > In the log file, radiator recorded :
> > ...
> > Raduis::AuthLSA REJECT, AuthBy LSA User is not a member of any group
> > ...
> >
> > The problem is that my user IS a member of the wireless group !
> >
> > Did anyone tried this feature ?
> >
> > Kind regards,
> > Stéphane
> >
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list