(RADIATOR) Mac-Adress Check and LDAP on OS X
Hugh Irvine
hugh at open.com.au
Wed Mar 2 13:50:58 CST 2005
Hello Urs -
Please understand that it is impossible to help without seeing a trace
4 debug showing what is happening.
regards
Hugh
On 2 Mar 2005, at 20:25, Urs Landis wrote:
> Phils config works fine!!!
>
> Now i try to build a config like phils but who checks first the mac
> address. I think I can make the MACaddress check in the outer part ans
> the LDAP in the inner part!
> But my config only make the MACaddress check, but this on and on and
> on and never stops! He never goes to the LDAP Part!!
>
> Please help!!!
>
> My new config file:
>
> # leap.cfg
> #
>
> Foreground
> LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
>
> # User a lower trace level in production systems:
> Trace 4
>
> <Client DEFAULT>
> Secret scHoProet
> DupInterval 0
> </Client>
>
> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
> <AuthBy FILE>
> # AuthByPolicy ContinueWhileAccept
> Filename %D/addresses.mac
> AuthenticateAttribute Calling-Station-Id
> NoEAP
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> <AuthBy LDAP2>
> Identifier CheckLDAP
> Host 192.168.1.21
> BaseDN dc=hopro, dc=edu
> Version 3
> UsernameAttr uid
> ServerChecksPassword
> </AuthBy>
> </Handler>
>
>
> best regards
>
> Urs Landis
> ICT
> Kantonsschule
> Hohe Promenade
> Postfach
> Promenadengasse 11
> CH-8090 Zürich
> Tel: 044 - 268 36 29
> Nat: 079 - 400 40 01
> Am 02.03.2005 um 15:25 schrieb Hugh Irvine:
>
>>
>> Hello Urs -
>>
>> Further to this, here is another client:
>>
>> http://www.mtghouse.com/products/aegisclient/mac/index.shtml
>>
>> a Google search for "eap-ttls client" brings up lots of hits, and
>> there is a partial list here:
>>
>> http://www.open.com.au/radiator/technical.html#wireless
>>
>> regards
>>
>> Hugh
>>
>>
>> On 2 Mar 2005, at 09:04, Urs Landis wrote:
>>
>>> Hi Mike, hi Hugh
>>>
>>> I dont see the problem with the LEAP authentification to a Mac OS X
>>> Server. But i'am a dummy beginner!!!!
>>> In my Trace File the LDAP Server says :
>>> Tue Mar 1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>> Tue Mar 1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
>>> Is it not possible to take that ACCEPT from AuthLDAP2 and finished?
>>> I know thats to easy,.......
>>>
>>> We work with a Mac OS X Serv, several Cisco AP1100, and theRadiator
>>> on Mac OS X, on a XServ Hardware.
>>> For the next weeks all this things (without the LDAP-Server) are in
>>> 'test-mode'. If it it helps there is no problem to give you an
>>> VPN-Access
>>>
>>>
>>>
>>> Best regards
>>>
>>> Urs Landis
>>> ICT
>>> Kantonsschule
>>> Hohe Promenade
>>> Postfach
>>> Promenadengasse 11
>>> CH-8090 Zürich
>>> Tel: 044 - 268 36 29
>>> Nat: 079 - 400 40 01
>>> Am 02.03.2005 um 01:04 schrieb Mike McCauley:
>>>
>>>> Hi,
>>>>
>>>> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>>>>> Hi,
>>>>>
>>>>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>>>>> Hello Urs -
>>>>>>
>>>>>> Your AuthBy FILE should only check the MAC addresses.
>>>>>>
>>>>>> # list MAC addresses
>>>>>>
>>>>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>>>>
>>>>>> ......
>>>>>>
>>>>>>
>>>>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>>>>
>>>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>>> AuthByPolicy ContinueWhileAccept
>>>>>> AuthBy CheckMACAddress
>>>>>> AuthBy CheckLDAP
>>>>>> </Handler>
>>>>>>
>>>>>> BTW - you can only store cleartext passwords when using LEAP.
>>>>>>
>>>>>> And I'm not sure whether ServerChecksPasswords will work in this
>>>>>> scenario.
>>>>>
>>>>> it will not.
>>>>>
>>>>> ServerChecksPassword just passes the username/password combination
>>>>> to
>>>>> the ldap bind. This rules out any challenge / response based
>>>>> authentication schemes like espcially chap and mschap2.
>>>>
>>>> Correct.
>>>>
>>>>>
>>>>> So CHAP is currently only possible if the password is accessible in
>>>>> cleartext via an LDAP attribute which is why we have not yet been
>>>>> able to get 802.1X PEAP to work with AuthLDAP2 against Active
>>>>> Diretory.
>>>>
>>>> Correct again.
>>>>
>>>> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and
>>>> PEAP-MSCHAPV2 to
>>>> work with AD is to use the AuthBy LSA module, which in turn limits
>>>> Radiator
>>>> to running on Windows.
>>>>
>>>> We note that Novell have released code showing how to fetch plain
>>>> passwords
>>>> from eDirectory by LDAP.
>>>>
>>>> I wonder if anyone can make a test eDirectory LDAP server available
>>>> to us
>>>> remotely for testing a solution?
>>>>
>>>> Cheers.
>>>>
>>>>>
>>>>> What I have been thinking about in this context is if there could
>>>>> be an
>>>>> advanced version of ServerChecksPassword called
>>>>> ServerChecksPasswordUsingSASL that would use sasl to attempt an
>>>>> ldap bind.
>>>>>
>>>>> Sasl should allow radiator to proxy the challenge response back to
>>>>> the nas.
>>>>>
>>>>> I am not sure if this could be done. If yes this could be big pain
>>>>> saver
>>>>> for all active directory installations.
>>>>>
>>>>> Greetings
>>>>> Christian
>>>>
>>>> --
>>>> Mike McCauley mikem at open.com.au
>>>> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
>>>> WWW
>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>>> http://www.open.com.au
>>>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>>>
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>> TLS,
>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
> Mit freundlichen Grüssen
>
>
> Urs Landis
> ICT
> Kantonsschule
> Hohe Promenade
> Postfach
> Promenadengasse 11
> CH-8090 Zürich
> Tel: 044 - 268 36 29
> Nat: 079 - 400 40 01
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list