(RADIATOR) Mac-Adress Check and LDAP on OS X

Urs Landis urs.landis at mac.com
Wed Mar 2 13:25:58 CST 2005


Phils config works fine!!!

Now i try to build a config like phils but who checks first the mac 
address. I think I can make the MACaddress check in the outer part ans 
the LDAP in the inner part!
But my config only make the MACaddress check, but this on and on and on 
and never stops! He never goes to the LDAP Part!!

Please help!!!

My new config file:

# leap.cfg
#

Foreground
LogStdout
LogDir          /var/log/radius
DbDir           /etc/radiator

# User a lower trace level in production systems:
Trace           4

<Client DEFAULT>
         Secret  scHoProet
         DupInterval 0
</Client>

<Handler NAS-Port-Type=Wireless-IEEE-802-11>
         <AuthBy FILE>
#               AuthByPolicy ContinueWhileAccept
                 Filename %D/addresses.mac
                 AuthenticateAttribute Calling-Station-Id
                 NoEAP
         </AuthBy>
</Handler>

<Handler TunnelledByTTLS=1>
         <AuthBy LDAP2>
                 Identifier CheckLDAP
                 Host            192.168.1.21
                 BaseDN          dc=hopro, dc=edu
                 Version         3
                 UsernameAttr    uid
                 ServerChecksPassword
         </AuthBy>
</Handler>


best regards

Urs Landis
ICT
Kantonsschule
Hohe Promenade
Postfach
Promenadengasse 11
CH-8090 Zürich
Tel: 044 - 268 36 29
Nat: 079 - 400 40 01
Am 02.03.2005 um 15:25 schrieb Hugh Irvine:

>
> Hello Urs -
>
> Further to this, here is another client:
>
> 	http://www.mtghouse.com/products/aegisclient/mac/index.shtml
>
> a Google search for "eap-ttls client" brings up lots of hits, and 
> there is a partial list here:
>
> 	http://www.open.com.au/radiator/technical.html#wireless
>
> regards
>
> Hugh
>
>
> On 2 Mar 2005, at 09:04, Urs Landis wrote:
>
>> Hi Mike, hi Hugh
>>
>> I dont see the problem with the LEAP authentification to a Mac OS X 
>> Server. But i'am a dummy beginner!!!!
>> In my Trace File the LDAP Server says :
>> Tue Mar  1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>> Tue Mar  1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
>> Is it not possible to take that ACCEPT from AuthLDAP2 and finished?
>> I know thats to easy,.......
>>
>> We work with a Mac OS X Serv, several Cisco AP1100, and theRadiator 
>> on Mac OS X, on a XServ Hardware.
>> For the next weeks all this things (without the LDAP-Server) are in 
>> 'test-mode'. If it it helps there is no problem to give you an 
>> VPN-Access
>>
>>
>>
>> Best regards
>>
>> Urs Landis
>> ICT
>> Kantonsschule
>> Hohe Promenade
>> Postfach
>> Promenadengasse 11
>> CH-8090 Zürich
>> Tel: 044 - 268 36 29
>> Nat: 079 - 400 40 01
>> Am 02.03.2005 um 01:04 schrieb Mike McCauley:
>>
>>> Hi,
>>>
>>> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>>>> Hi,
>>>>
>>>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>>>> Hello Urs -
>>>>>
>>>>> Your AuthBy FILE should only check the MAC addresses.
>>>>>
>>>>> # list MAC addresses
>>>>>
>>>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>>>
>>>>> ......
>>>>>
>>>>>
>>>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>>>
>>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>>        AuthByPolicy ContinueWhileAccept
>>>>>        AuthBy CheckMACAddress
>>>>>        AuthBy CheckLDAP
>>>>> </Handler>
>>>>>
>>>>> BTW - you can only store cleartext passwords when using LEAP.
>>>>>
>>>>> And I'm not sure whether ServerChecksPasswords will work in this
>>>>> scenario.
>>>>
>>>> it will not.
>>>>
>>>> ServerChecksPassword just passes the username/password combination 
>>>> to
>>>> the ldap bind.  This rules out any challenge / response based
>>>> authentication schemes like espcially chap and mschap2.
>>>
>>> Correct.
>>>
>>>>
>>>> So CHAP is currently only possible if the password is accessible in
>>>> cleartext via an LDAP attribute which is why we have not yet been
>>>> able to get 802.1X PEAP to work with AuthLDAP2 against Active 
>>>> Diretory.
>>>
>>> Correct again.
>>>
>>> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and 
>>> PEAP-MSCHAPV2 to
>>> work with AD is to use the AuthBy LSA module, which in turn limits 
>>> Radiator
>>> to running on Windows.
>>>
>>> We note that Novell have released code showing how to fetch plain 
>>> passwords
>>> from eDirectory by LDAP.
>>>
>>> I wonder if anyone can make a test eDirectory LDAP server available 
>>> to us
>>> remotely for testing a solution?
>>>
>>> Cheers.
>>>
>>>>
>>>> What I have been thinking about in this context is if there could 
>>>> be an
>>>> advanced version of ServerChecksPassword called
>>>> ServerChecksPasswordUsingSASL that would use sasl to attempt an 
>>>> ldap bind.
>>>>
>>>> Sasl should allow radiator to proxy the challenge response back to 
>>>> the nas.
>>>>
>>>> I am not sure if this could be done. If yes this could be big pain 
>>>> saver
>>>> for all active directory installations.
>>>>
>>>> Greetings
>>>> Christian
>>>
>>> -- 
>>> Mike McCauley                               mikem at open.com.au
>>> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, 
>>> WWW
>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
>>> http://www.open.com.au
>>> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, 
>>> TLS,
>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>
> NB: I am travelling this week, so there may be delays in our 
> correspondence.
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
Mit freundlichen Grüssen


Urs Landis
ICT
Kantonsschule
Hohe Promenade
Postfach
Promenadengasse 11
CH-8090 Zürich
Tel: 044 - 268 36 29
Nat: 079 - 400 40 01
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 6537 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050302/83d557e0/attachment.bin>


More information about the radiator mailing list