(RADIATOR) Mac-Adress Check and LDAP on OS X

Mike McCauley mikem at open.com.au
Tue Mar 1 18:04:15 CST 2005 

Hi,

On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
> Hi,
>
> On Tue, 1 Mar 2005, Hugh Irvine wrote:
> > Hello Urs -
> >
> > Your AuthBy FILE should only check the MAC addresses.
> >
> > # list MAC addresses
> >
> > 0030.6503.0a96 Auth-Type = ACCEPT
> >
> > ......
> >
> >
> > The AuthBy LDAP2 should be called after the AuthBy FILE.
> >
> > <Handler NAS-Port-Type=Wireless-IEEE-802-11>
> >        AuthByPolicy ContinueWhileAccept
> >        AuthBy CheckMACAddress
> >        AuthBy CheckLDAP
> > </Handler>
> >
> > BTW - you can only store cleartext passwords when using LEAP.
> >
> > And I'm not sure whether ServerChecksPasswords will work in this
> > scenario.
>
> it will not.
>
> ServerChecksPassword just passes the username/password combination to
> the ldap bind.  This rules out any challenge / response based
> authentication schemes like espcially chap and mschap2.

Correct.

>
> So CHAP is currently only possible if the password is accessible in
> cleartext via an LDAP attribute which is why we have not yet been
> able to get 802.1X PEAP to work with AuthLDAP2 against Active Diretory.

Correct again.

Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and PEAP-MSCHAPV2 to 
work with AD is to use the AuthBy LSA module, which in turn limits Radiator 
to running on Windows.

We note that Novell have released code showing how to fetch plain passwords 
from eDirectory by LDAP.

I wonder if anyone can make a test eDirectory LDAP server available to us 
remotely for testing a solution?

Cheers.

>
> What I have been thinking about in this context is if there could be an
> advanced version of ServerChecksPassword called
> ServerChecksPasswordUsingSASL that would use sasl to attempt an ldap bind.
>
> Sasl should allow radiator to proxy the challenge response back to the nas.
>
> I am not sure if this could be done. If yes this could be big pain saver
> for all active directory installations.
>
> Greetings
> Christian

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list