(RADIATOR) Mac-Adress Check and LDAP on OS X
Urs Landis
urs.landis at mac.com
Wed Mar 2 14:01:11 CST 2005
Hugh
here the Trace 4 log and my config
Trace 4 File:
Wed Mar 2 20:58:12 2005: DEBUG: Packet dump:
*** Received from 192.168.95.59 port 21645 ....
Code: Access-Request
Identifier: 56
Authentic: q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
Attributes:
User-Name = "urs_landis"
Framed-MTU = 1400
Called-Station-Id = "0013.19fc.2f90"
Calling-Station-Id = "0030.6503.0a96"
Service-Type = Login-User
Message-Authenticator =
<232>|<157><255><255><148><7><181><11>f<143><194><193><232><170>c
EAP-Message = <2><1><0><15><1>urs_landis
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 298
NAS-IP-Address = 192.168.95.59
NAS-Identifier = "AP-09-023"
Wed Mar 2 20:58:12 2005: DEBUG: Handling request with Handler
'NAS-Port-Type=Wireless-IEEE-802-11'
Wed Mar 2 20:58:12 2005: DEBUG: Deleting session for urs_landis,
192.168.95.59, 298
Wed Mar 2 20:58:12 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 2 20:58:12 2005: DEBUG: Radius::AuthFILE looks for match with
0030.6503.0a96
Wed Mar 2 20:58:12 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept
explicitly by Auth-Type=Accept
Wed Mar 2 20:58:12 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept
explicitly by Auth-Type=Accept
Wed Mar 2 20:58:12 2005: DEBUG: Access accepted for urs_landis
Wed Mar 2 20:58:12 2005: DEBUG: Packet dump:
*** Sending to 192.168.95.59 port 21645 ....
Code: Access-Accept
Identifier: 56
Authentic: q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
Attributes:
Wed Mar 2 20:58:13 2005: DEBUG: Packet dump:
*** Received from 192.168.95.59 port 21645 ....
Code: Access-Request
Identifier: 57
Authentic: <179>"<2><189><203><1><26>B*Y9!SW<162><155>
Attributes:
User-Name = "urs_landis"
Framed-MTU = 1400
Called-Station-Id = "0013.19fc.2f90"
Calling-Station-Id = "0030.6503.0a96"
Service-Type = Login-User
Message-Authenticator = :<30><146>T^Ezh<129>b7"<142>~O$
EAP-Message = <2><1><0><15><1>urs_landis
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 299
NAS-IP-Address = 192.168.95.59
NAS-Identifier = "AP-09-023"
Wed Mar 2 20:58:13 2005: DEBUG: Handling request with Handler
'NAS-Port-Type=Wireless-IEEE-802-11'
Wed Mar 2 20:58:13 2005: DEBUG: Deleting session for urs_landis,
192.168.95.59, 299
Wed Mar 2 20:58:13 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 2 20:58:13 2005: DEBUG: Radius::AuthFILE looks for match with
0030.6503.0a96
Wed Mar 2 20:58:13 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept
explicitly by Auth-Type=Accept
Wed Mar 2 20:58:13 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept
explicitly by Auth-Type=Accept
Wed Mar 2 20:58:13 2005: DEBUG: Access accepted for urs_landis
Wed Mar 2 20:58:13 2005: DEBUG: Packet dump:
*** Sending to 192.168.95.59 port 21645 ....
Code: Access-Accept
Identifier: 57
Authentic: <179>"<2><189><203><1><26>B*Y9!SW<162><155>
Attributes:
My Config:
# leap.cfg
#
Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
<Client DEFAULT>
Secret scHoProet
DupInterval 0
</Client>
<Handler NAS-Port-Type=Wireless-IEEE-802-11>
<AuthBy FILE>
# AuthByPolicy ContinueWhileAccept
Filename %D/addresses.mac
AuthenticateAttribute Calling-Station-Id
NoEAP
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1>
<AuthBy LDAP2>
Identifier CheckLDAP
Host 192.168.1.21
BaseDN dc=hopro, dc=edu
Version 3
UsernameAttr uid
ServerChecksPassword
# EPType PAP
# EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CertificateFile %D/certificates/cert-srv.pem
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
# EAPTLS_PrivateKeyPassword whatever
# EAPTLS_MaxFragmentSize 1000
# AutoMPPEKeys
# SearchFilter (&(uid=%1)(buildingName=WLAN))
</AuthBy>
</Handler>
best regards
Urs Landis
ICT
Kantonsschule
Hohe Promenade
Postfach
Promenadengasse 11
CH-8090 Zürich
Tel: 044 - 268 36 29
Nat: 079 - 400 40 01
Am 02.03.2005 um 20:50 schrieb Hugh Irvine:
>
> Hello Urs -
>
> Please understand that it is impossible to help without seeing a trace
> 4 debug showing what is happening.
>
> regards
>
> Hugh
>
>
> On 2 Mar 2005, at 20:25, Urs Landis wrote:
>
>> Phils config works fine!!!
>>
>> Now i try to build a config like phils but who checks first the mac
>> address. I think I can make the MACaddress check in the outer part
>> ans the LDAP in the inner part!
>> But my config only make the MACaddress check, but this on and on and
>> on and never stops! He never goes to the LDAP Part!!
>>
>> Please help!!!
>>
>> My new config file:
>>
>> # leap.cfg
>> #
>>
>> Foreground
>> LogStdout
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>>
>> # User a lower trace level in production systems:
>> Trace 4
>>
>> <Client DEFAULT>
>> Secret scHoProet
>> DupInterval 0
>> </Client>
>>
>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>> <AuthBy FILE>
>> # AuthByPolicy ContinueWhileAccept
>> Filename %D/addresses.mac
>> AuthenticateAttribute Calling-Station-Id
>> NoEAP
>> </AuthBy>
>> </Handler>
>>
>> <Handler TunnelledByTTLS=1>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> Host 192.168.1.21
>> BaseDN dc=hopro, dc=edu
>> Version 3
>> UsernameAttr uid
>> ServerChecksPassword
>> </AuthBy>
>> </Handler>
>>
>>
>> best regards
>>
>> Urs Landis
>> ICT
>> Kantonsschule
>> Hohe Promenade
>> Postfach
>> Promenadengasse 11
>> CH-8090 Zürich
>> Tel: 044 - 268 36 29
>> Nat: 079 - 400 40 01
>> Am 02.03.2005 um 15:25 schrieb Hugh Irvine:
>>
>>>
>>> Hello Urs -
>>>
>>> Further to this, here is another client:
>>>
>>> http://www.mtghouse.com/products/aegisclient/mac/index.shtml
>>>
>>> a Google search for "eap-ttls client" brings up lots of hits, and
>>> there is a partial list here:
>>>
>>> http://www.open.com.au/radiator/technical.html#wireless
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 2 Mar 2005, at 09:04, Urs Landis wrote:
>>>
>>>> Hi Mike, hi Hugh
>>>>
>>>> I dont see the problem with the LEAP authentification to a Mac OS X
>>>> Server. But i'am a dummy beginner!!!!
>>>> In my Trace File the LDAP Server says :
>>>> Tue Mar 1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>> Tue Mar 1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
>>>> Is it not possible to take that ACCEPT from AuthLDAP2 and finished?
>>>> I know thats to easy,.......
>>>>
>>>> We work with a Mac OS X Serv, several Cisco AP1100, and theRadiator
>>>> on Mac OS X, on a XServ Hardware.
>>>> For the next weeks all this things (without the LDAP-Server) are in
>>>> 'test-mode'. If it it helps there is no problem to give you an
>>>> VPN-Access
>>>>
>>>>
>>>>
>>>> Best regards
>>>>
>>>> Urs Landis
>>>> ICT
>>>> Kantonsschule
>>>> Hohe Promenade
>>>> Postfach
>>>> Promenadengasse 11
>>>> CH-8090 Zürich
>>>> Tel: 044 - 268 36 29
>>>> Nat: 079 - 400 40 01
>>>> Am 02.03.2005 um 01:04 schrieb Mike McCauley:
>>>>
>>>>> Hi,
>>>>>
>>>>> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>>>>>> Hi,
>>>>>>
>>>>>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>>>>>> Hello Urs -
>>>>>>>
>>>>>>> Your AuthBy FILE should only check the MAC addresses.
>>>>>>>
>>>>>>> # list MAC addresses
>>>>>>>
>>>>>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>>>>>
>>>>>>> ......
>>>>>>>
>>>>>>>
>>>>>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>>>>>
>>>>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>>>> AuthByPolicy ContinueWhileAccept
>>>>>>> AuthBy CheckMACAddress
>>>>>>> AuthBy CheckLDAP
>>>>>>> </Handler>
>>>>>>>
>>>>>>> BTW - you can only store cleartext passwords when using LEAP.
>>>>>>>
>>>>>>> And I'm not sure whether ServerChecksPasswords will work in this
>>>>>>> scenario.
>>>>>>
>>>>>> it will not.
>>>>>>
>>>>>> ServerChecksPassword just passes the username/password
>>>>>> combination to
>>>>>> the ldap bind. This rules out any challenge / response based
>>>>>> authentication schemes like espcially chap and mschap2.
>>>>>
>>>>> Correct.
>>>>>
>>>>>>
>>>>>> So CHAP is currently only possible if the password is accessible
>>>>>> in
>>>>>> cleartext via an LDAP attribute which is why we have not yet been
>>>>>> able to get 802.1X PEAP to work with AuthLDAP2 against Active
>>>>>> Diretory.
>>>>>
>>>>> Correct again.
>>>>>
>>>>> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and
>>>>> PEAP-MSCHAPV2 to
>>>>> work with AD is to use the AuthBy LSA module, which in turn limits
>>>>> Radiator
>>>>> to running on Windows.
>>>>>
>>>>> We note that Novell have released code showing how to fetch plain
>>>>> passwords
>>>>> from eDirectory by LDAP.
>>>>>
>>>>> I wonder if anyone can make a test eDirectory LDAP server
>>>>> available to us
>>>>> remotely for testing a solution?
>>>>>
>>>>> Cheers.
>>>>>
>>>>>>
>>>>>> What I have been thinking about in this context is if there could
>>>>>> be an
>>>>>> advanced version of ServerChecksPassword called
>>>>>> ServerChecksPasswordUsingSASL that would use sasl to attempt an
>>>>>> ldap bind.
>>>>>>
>>>>>> Sasl should allow radiator to proxy the challenge response back
>>>>>> to the nas.
>>>>>>
>>>>>> I am not sure if this could be done. If yes this could be big
>>>>>> pain saver
>>>>>> for all active directory installations.
>>>>>>
>>>>>> Greetings
>>>>>> Christian
>>>>>
>>>>> --
>>>>> Mike McCauley mikem at open.com.au
>>>>> Open System Consultants Pty. Ltd Unix, Perl, Motif,
>>>>> C++, WWW
>>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>>>> http://www.open.com.au
>>>>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>>>>
>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>> server
>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>>>>> Emerald,
>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>>> TLS,
>>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>
>>> NB: I am travelling this week, so there may be delays in our
>>> correspondence.
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>> Mit freundlichen Grüssen
>>
>>
>> Urs Landis
>> ICT
>> Kantonsschule
>> Hohe Promenade
>> Postfach
>> Promenadengasse 11
>> CH-8090 Zürich
>> Tel: 044 - 268 36 29
>> Nat: 079 - 400 40 01
>>
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 11695 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050302/d28bf37d/attachment.bin>
More information about the radiator
mailing list