(RADIATOR) Mac-Adress Check and LDAP on OS X
Urs Landis
urs.landis at mac.com
Tue Mar 1 12:44:51 CST 2005
Hugh
Thanks for your help! But I have the same result! Bad LEAP Password! Is
this because this is not a clear text password? Is it possible to get
this running with ServerCheckPassword?
That would be great because i cant do a clear text password check to a
mac OS X Server
Tue Mar 1 19:25:25 2005: DEBUG: LDAP got apple-user-homeurl:
<home_dir><url>afp://file.hopro.edu/Angestellte</url><path>urs_landis</
path></home_dir>
Tue Mar 1 19:25:25 2005: DEBUG: LDAP got homeDirectory:
/Network/Servers/File.hopro.edu/Angestellte/urs_landis
Tue Mar 1 19:25:25 2005: DEBUG: LDAP got buildingName: WLAN
Tue Mar 1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 looks for match with
urs_landis
Tue Mar 1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Tue Mar 1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
Tue Mar 1 19:25:25 2005: DEBUG: AuthBy LDAP2 result: REJECT, Bad LEAP
Password
Tue Mar 1 19:25:25 2005: INFO: Access rejected for urs_landis: Bad
LEAP Password
Tue Mar 1 19:25:25 2005: DEBUG: Packet dump:
*** Sending to 192.168.95.59 port 21649 ....
berst regards
Urs Landis
ICT
Kantonsschule
Hohe Promenade
Postfach
Promenadengasse 11
CH-8090 Zürich
Tel: 044 - 268 36 29
Nat: 079 - 400 40 01
Am 01.03.2005 um 18:58 schrieb Hugh Irvine:
>
> Hello Urs -
>
> Your AuthBy FILE should only check the MAC addresses.
>
> # list MAC addresses
>
> 0030.6503.0a96 Auth-Type = ACCEPT
>
> ......
>
>
> The AuthBy LDAP2 should be called after the AuthBy FILE.
>
> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
> AuthByPolicy ContinueWhileAccept
> AuthBy CheckMACAddress
> AuthBy CheckLDAP
> </Handler>
>
> BTW - you can only store cleartext passwords when using LEAP.
>
> And I'm not sure whether ServerChecksPasswords will work in this
> scenario.
>
> regards
>
> Hugh
>
>
> On 1 Mar 2005, at 15:33, Urs Landis wrote:
>
>> Hugh, Mikem
>>
>> Thanks for the help, now the CheckMacAddress works!
>>
>> But now i have a new problem! See trace 4 at the end!
>>
>> 1.MAC-Address works fine
>> 2. CheckLDAP works fine and ACCEPT
>> 3. A message with AuthFile Reject
>>
>> Why AuthFile and why this Reject????
>>
>>
>> regards
>>
>>
>> Urs
>>
>> TRACE 4:
>> Tue Mar 1 15:26:48 2005: DEBUG: LDAP got apple-user-homequota:
>> 1073741824
>> Tue Mar 1 15:26:48 2005: DEBUG: LDAP got apple-mcxflags: <?xml
>> version="1.0" encoding="UTF-8"?>
>> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
>> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
>> <plist version="1.0">
>> <dict>
>> <key>simultaneous_login_enabled</key>
>> <false/>
>> </dict>
>> </plist>
>>
>> Tue Mar 1 15:26:48 2005: DEBUG: LDAP got apple-user-homeurl:
>> <home_dir><url>afp://file.hopro.edu/Angestellte</
>> url><path>urs_landis</path></home_dir>
>> Tue Mar 1 15:26:48 2005: DEBUG: LDAP got homeDirectory:
>> /Network/Servers/File.hopro.edu/Angestellte/urs_landis
>> Tue Mar 1 15:26:48 2005: DEBUG: LDAP got buildingName: WLAN
>> Tue Mar 1 15:26:48 2005: DEBUG: Radius::AuthLDAP2 looks for match
>> with urs_landis
>> Tue Mar 1 15:26:48 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>> Tue Mar 1 15:26:48 2005: DEBUG: EAP result: 1, Bad LEAP Password
>> Tue Mar 1 15:26:48 2005: DEBUG: Radius::AuthFILE REJECT: Bad LEAP
>> Password
>> Tue Mar 1 15:26:48 2005: DEBUG: AuthBy FILE result: REJECT, Bad LEAP
>> Password
>> Tue Mar 1 15:26:48 2005: INFO: Access rejected for urs_landis: Bad
>> LEAP Password
>> Tue Mar 1 15:26:48 2005: DEBUG: Packet dump:
>> *** Sending to 192.168.95.59 port 21649 ....
>> Code: Access-Reject
>> Identifier: 220
>> Authentic: Ea<140><183><198><223>a<30><217>j<164>"<173><253>)<18>
>>
>> Config File:
>> # leap.cfg
>> #
>>
>> Foreground
>> LogStdout
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>>
>> # User a lower trace level in production systems:
>> Trace 4
>>
>> <Client DEFAULT>
>> Secret XXXXXX
>> DupInterval 0
>> </Client>
>>
>> <AuthBy FILE>
>> Identifier CheckMACAddress
>> Filename %D/addresses.mac
>> AuthenticateAttribute Calling-Station-Id
>> NoEAP
>> # EAPType LEAP
>> # EAPType TTLS
>> # EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>> # EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> # EAPTLS_CertificateType PEM
>> # EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> # EAPTLS_PrivateKeyPassword whatever
>> # EAPTLS_MaxFragmentSize 1000
>> # AutoMPPEKeys
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> Host 192.168.1.21
>> BaseDN dc=hopro, dc=edu
>> Version 3
>> UsernameAttr uid
>> ServerChecksPassword
>> EAPType LEAP
>> # SearchFilter (&(uid=%1)(buildingName=WLAN))
>> # AddToReply buildingName
>> </AuthBy>
>>
>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>> AuthByPolicy ContinueWhileAccept
>> AuthBy CheckMACAddress
>> # EAPType LEAP
>> </Handler>
>>
>> # Handler for radpwtst
>> <Handler NAS-Port-Type=Async>
>> AuthBy CheckMACAddress
>> </Handler>
>>
>> Mit freundlichen Grüssen
>>
>>
>> Urs Landis
>> ICT
>> Kantonsschule
>> Hohe Promenade
>> Postfach
>> Promenadengasse 11
>> CH-8090 Zürich
>> Tel: 044 - 268 36 29
>> Nat: 079 - 400 40 01
>> Am 01.03.2005 um 13:12 schrieb Hugh Irvine:
>>
>>>> AuthByPolicy ContinueWhileAccept
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 5865 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050301/f0d1555a/attachment.bin>
More information about the radiator
mailing list