(RADIATOR) Mac-Adress Check and LDAP on OS X

Hugh Irvine hugh at open.com.au
Tue Mar 1 11:58:08 CST 2005


Hello Urs -

Your AuthBy FILE should only check the MAC addresses.

# list MAC addresses

0030.6503.0a96 Auth-Type = ACCEPT

......


The AuthBy LDAP2 should be called after the AuthBy FILE.

<Handler NAS-Port-Type=Wireless-IEEE-802-11>
         AuthByPolicy ContinueWhileAccept
         AuthBy CheckMACAddress
         AuthBy CheckLDAP
</Handler>

BTW - you can only store cleartext passwords when using LEAP.

And I'm not sure whether ServerChecksPasswords will work in this  
scenario.

regards

Hugh


On 1 Mar 2005, at 15:33, Urs Landis wrote:

> Hugh, Mikem
>
> Thanks for the help, now the CheckMacAddress works!
>
> But now i have a new problem! See trace 4 at the end!
>
> 1.MAC-Address works fine
> 2. CheckLDAP works fine and ACCEPT
> 3. A message with AuthFile Reject
>
> Why AuthFile and why this Reject????
>
>
> regards
>
>
> Urs
>
> TRACE 4:
> Tue Mar  1 15:26:48 2005: DEBUG: LDAP got apple-user-homequota:  
> 1073741824
> Tue Mar  1 15:26:48 2005: DEBUG: LDAP got apple-mcxflags: <?xml  
> version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"  
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
>         <key>simultaneous_login_enabled</key>
>         <false/>
> </dict>
> </plist>
>
> Tue Mar  1 15:26:48 2005: DEBUG: LDAP got apple-user-homeurl:  
> <home_dir><url>afp://file.hopro.edu/Angestellte</ 
> url><path>urs_landis</path></home_dir>
> Tue Mar  1 15:26:48 2005: DEBUG: LDAP got homeDirectory:  
> /Network/Servers/File.hopro.edu/Angestellte/urs_landis
> Tue Mar  1 15:26:48 2005: DEBUG: LDAP got buildingName: WLAN
> Tue Mar  1 15:26:48 2005: DEBUG: Radius::AuthLDAP2 looks for match  
> with urs_landis
> Tue Mar  1 15:26:48 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Tue Mar  1 15:26:48 2005: DEBUG: EAP result: 1, Bad LEAP Password
> Tue Mar  1 15:26:48 2005: DEBUG: Radius::AuthFILE REJECT: Bad LEAP  
> Password
> Tue Mar  1 15:26:48 2005: DEBUG: AuthBy FILE result: REJECT, Bad LEAP  
> Password
> Tue Mar  1 15:26:48 2005: INFO: Access rejected for urs_landis: Bad  
> LEAP Password
> Tue Mar  1 15:26:48 2005: DEBUG: Packet dump:
> *** Sending to 192.168.95.59 port 21649 ....
> Code:       Access-Reject
> Identifier: 220
> Authentic:  Ea<140><183><198><223>a<30><217>j<164>"<173><253>)<18>
>
> Config File:
> # leap.cfg
> #
>
> Foreground
> LogStdout
> LogDir          /var/log/radius
> DbDir           /etc/radiator
>
> # User a lower trace level in production systems:
> Trace           4
>
> <Client DEFAULT>
>         Secret  XXXXXX
>         DupInterval 0
> </Client>
>
> <AuthBy FILE>
>         Identifier CheckMACAddress
>         Filename %D/addresses.mac
>         AuthenticateAttribute Calling-Station-Id
>         NoEAP
> #       EAPType LEAP
> #       EAPType TTLS
> #       EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> #       EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> #       EAPTLS_CertificateType PEM
> #       EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> #       EAPTLS_PrivateKeyPassword whatever
> #       EAPTLS_MaxFragmentSize 1000
> #       AutoMPPEKeys
> </AuthBy>
>
> <AuthBy LDAP2>
>         Identifier CheckLDAP
>         Host            192.168.1.21
>         BaseDN          dc=hopro, dc=edu
>         Version         3
>         UsernameAttr    uid
>         ServerChecksPassword
>         EAPType LEAP
> #       SearchFilter (&(uid=%1)(buildingName=WLAN))
> #       AddToReply buildingName
> </AuthBy>
>
> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>         AuthByPolicy ContinueWhileAccept
>         AuthBy CheckMACAddress
> #       EAPType LEAP
> </Handler>
>
> # Handler for radpwtst
> <Handler NAS-Port-Type=Async>
>         AuthBy CheckMACAddress
> </Handler>
>
> Mit freundlichen Grüssen
>
>
> Urs Landis
> ICT
> Kantonsschule
> Hohe Promenade
> Postfach
> Promenadengasse 11
> CH-8090 Zürich
> Tel: 044 - 268 36 29
> Nat: 079 - 400 40 01
> Am 01.03.2005 um 13:12 schrieb Hugh Irvine:
>
>>> AuthByPolicy ContinueWhileAccept

NB: I am travelling this week, so there may be delays in our  
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list