(RADIATOR) Mac-Adress Check and LDAP on OS X

Hugh Irvine hugh at open.com.au
Wed Mar 2 08:25:13 CST 2005 

Hello Urs -

Further to this, here is another client:

	http://www.mtghouse.com/products/aegisclient/mac/index.shtml

a Google search for "eap-ttls client" brings up lots of hits, and there 
is a partial list here:

	http://www.open.com.au/radiator/technical.html#wireless

regards

Hugh


On 2 Mar 2005, at 09:04, Urs Landis wrote:

> Hi Mike, hi Hugh
>
> I dont see the problem with the LEAP authentification to a Mac OS X 
> Server. But i'am a dummy beginner!!!!
> In my Trace File the LDAP Server says :
> Tue Mar  1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Tue Mar  1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
> Is it not possible to take that ACCEPT from AuthLDAP2 and finished?
> I know thats to easy,.......
>
> We work with a Mac OS X Serv, several Cisco AP1100, and theRadiator on 
> Mac OS X, on a XServ Hardware.
> For the next weeks all this things (without the LDAP-Server) are in 
> 'test-mode'. If it it helps there is no problem to give you an 
> VPN-Access
>
>
>
> Best regards
>
> Urs Landis
> ICT
> Kantonsschule
> Hohe Promenade
> Postfach
> Promenadengasse 11
> CH-8090 Zürich
> Tel: 044 - 268 36 29
> Nat: 079 - 400 40 01
> Am 02.03.2005 um 01:04 schrieb Mike McCauley:
>
>> Hi,
>>
>> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>>> Hi,
>>>
>>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>>> Hello Urs -
>>>>
>>>> Your AuthBy FILE should only check the MAC addresses.
>>>>
>>>> # list MAC addresses
>>>>
>>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>>
>>>> ......
>>>>
>>>>
>>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>>
>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>        AuthByPolicy ContinueWhileAccept
>>>>        AuthBy CheckMACAddress
>>>>        AuthBy CheckLDAP
>>>> </Handler>
>>>>
>>>> BTW - you can only store cleartext passwords when using LEAP.
>>>>
>>>> And I'm not sure whether ServerChecksPasswords will work in this
>>>> scenario.
>>>
>>> it will not.
>>>
>>> ServerChecksPassword just passes the username/password combination to
>>> the ldap bind.  This rules out any challenge / response based
>>> authentication schemes like espcially chap and mschap2.
>>
>> Correct.
>>
>>>
>>> So CHAP is currently only possible if the password is accessible in
>>> cleartext via an LDAP attribute which is why we have not yet been
>>> able to get 802.1X PEAP to work with AuthLDAP2 against Active 
>>> Diretory.
>>
>> Correct again.
>>
>> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and 
>> PEAP-MSCHAPV2 to
>> work with AD is to use the AuthBy LSA module, which in turn limits 
>> Radiator
>> to running on Windows.
>>
>> We note that Novell have released code showing how to fetch plain 
>> passwords
>> from eDirectory by LDAP.
>>
>> I wonder if anyone can make a test eDirectory LDAP server available 
>> to us
>> remotely for testing a solution?
>>
>> Cheers.
>>
>>>
>>> What I have been thinking about in this context is if there could be 
>>> an
>>> advanced version of ServerChecksPassword called
>>> ServerChecksPasswordUsingSASL that would use sasl to attempt an ldap 
>>> bind.
>>>
>>> Sasl should allow radiator to proxy the challenge response back to 
>>> the nas.
>>>
>>> I am not sure if this could be done. If yes this could be big pain 
>>> saver
>>> for all active directory installations.
>>>
>>> Greetings
>>> Christian
>>
>> -- 
>> Mike McCauley                               mikem at open.com.au
>> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, 
>> WWW
>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
>> http://www.open.com.au
>> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, 
>> TLS,
>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>

NB: I am travelling this week, so there may be delays in our 
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list