(RADIATOR) Mac-Adress Check and LDAP on OS X

Urs Landis urs.landis at mac.com
Wed Mar 2 02:04:06 CST 2005


Hi Mike, hi Hugh

I dont see the problem with the LEAP authentification to a Mac OS X 
Server. But i'am a dummy beginner!!!!
In my Trace File the LDAP Server says :
Tue Mar  1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Tue Mar  1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
Is it not possible to take that ACCEPT from AuthLDAP2 and finished?
I know thats to easy,.......

We work with a Mac OS X Serv, several Cisco AP1100, and theRadiator on 
Mac OS X, on a XServ Hardware.
For the next weeks all this things (without the LDAP-Server) are in 
'test-mode'. If it it helps there is no problem to give you an 
VPN-Access



Best regards

Urs Landis
ICT
Kantonsschule
Hohe Promenade
Postfach
Promenadengasse 11
CH-8090 Zürich
Tel: 044 - 268 36 29
Nat: 079 - 400 40 01
Am 02.03.2005 um 01:04 schrieb Mike McCauley:

> Hi,
>
> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>> Hi,
>>
>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>> Hello Urs -
>>>
>>> Your AuthBy FILE should only check the MAC addresses.
>>>
>>> # list MAC addresses
>>>
>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>
>>> ......
>>>
>>>
>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>
>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>        AuthByPolicy ContinueWhileAccept
>>>        AuthBy CheckMACAddress
>>>        AuthBy CheckLDAP
>>> </Handler>
>>>
>>> BTW - you can only store cleartext passwords when using LEAP.
>>>
>>> And I'm not sure whether ServerChecksPasswords will work in this
>>> scenario.
>>
>> it will not.
>>
>> ServerChecksPassword just passes the username/password combination to
>> the ldap bind.  This rules out any challenge / response based
>> authentication schemes like espcially chap and mschap2.
>
> Correct.
>
>>
>> So CHAP is currently only possible if the password is accessible in
>> cleartext via an LDAP attribute which is why we have not yet been
>> able to get 802.1X PEAP to work with AuthLDAP2 against Active 
>> Diretory.
>
> Correct again.
>
> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and 
> PEAP-MSCHAPV2 to
> work with AD is to use the AuthBy LSA module, which in turn limits 
> Radiator
> to running on Windows.
>
> We note that Novell have released code showing how to fetch plain 
> passwords
> from eDirectory by LDAP.
>
> I wonder if anyone can make a test eDirectory LDAP server available to 
> us
> remotely for testing a solution?
>
> Cheers.
>
>>
>> What I have been thinking about in this context is if there could be 
>> an
>> advanced version of ServerChecksPassword called
>> ServerChecksPasswordUsingSASL that would use sasl to attempt an ldap 
>> bind.
>>
>> Sasl should allow radiator to proxy the challenge response back to 
>> the nas.
>>
>> I am not sure if this could be done. If yes this could be big pain 
>> saver
>> for all active directory installations.
>>
>> Greetings
>> Christian
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 3748 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050302/0d355cb0/attachment.bin>


More information about the radiator mailing list