(RADIATOR) Mac-Adress Check and LDAP on OS X
Hugh Irvine
hugh at open.com.au
Thu Mar 3 00:45:53 CST 2005
Hello Urs -
The problem here is that you do not have anything configured to do EAP
in your first Handler.
Your AuthBy clause is only doing the MAC address check without EAP and
there is nothing doing EAP, so you will need to add a second AuthBy
FILE to deal with the EAP part:
<Handler NAS-Port-Type=Wireless-IEEE-802-11>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
Filename %D/addresses.mac
AuthenticateAttribute Calling-Station-Id
NoEAP
</AuthBy>
<AuthBy FILE>
Filename %D/users
EAPType PEAP
.......
</AuthBy>
</Handler>
regards
Hugh
On 2 Mar 2005, at 21:01, Urs Landis wrote:
> Hugh
> here the Trace 4 log and my config
>
> Trace 4 File:
> Wed Mar 2 20:58:12 2005: DEBUG: Packet dump:
> *** Received from 192.168.95.59 port 21645 ....
> Code: Access-Request
> Identifier: 56
> Authentic: q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
> Attributes:
> User-Name = "urs_landis"
> Framed-MTU = 1400
> Called-Station-Id = "0013.19fc.2f90"
> Calling-Station-Id = "0030.6503.0a96"
> Service-Type = Login-User
> Message-Authenticator =
> <232>|<157><255><255><148><7><181><11>f<143><194><193><232><170>c
> EAP-Message = <2><1><0><15><1>urs_landis
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 298
> NAS-IP-Address = 192.168.95.59
> NAS-Identifier = "AP-09-023"
>
> Wed Mar 2 20:58:12 2005: DEBUG: Handling request with Handler
> 'NAS-Port-Type=Wireless-IEEE-802-11'
> Wed Mar 2 20:58:12 2005: DEBUG: Deleting session for urs_landis,
> 192.168.95.59, 298
> Wed Mar 2 20:58:12 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Mar 2 20:58:12 2005: DEBUG: Radius::AuthFILE looks for match with
> 0030.6503.0a96
> Wed Mar 2 20:58:12 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept
> explicitly by Auth-Type=Accept
> Wed Mar 2 20:58:12 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept
> explicitly by Auth-Type=Accept
> Wed Mar 2 20:58:12 2005: DEBUG: Access accepted for urs_landis
> Wed Mar 2 20:58:12 2005: DEBUG: Packet dump:
> *** Sending to 192.168.95.59 port 21645 ....
> Code: Access-Accept
> Identifier: 56
> Authentic: q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
> Attributes:
>
> Wed Mar 2 20:58:13 2005: DEBUG: Packet dump:
> *** Received from 192.168.95.59 port 21645 ....
> Code: Access-Request
> Identifier: 57
> Authentic: <179>"<2><189><203><1><26>B*Y9!SW<162><155>
> Attributes:
> User-Name = "urs_landis"
> Framed-MTU = 1400
> Called-Station-Id = "0013.19fc.2f90"
> Calling-Station-Id = "0030.6503.0a96"
> Service-Type = Login-User
> Message-Authenticator = :<30><146>T^Ezh<129>b7"<142>~O$
> EAP-Message = <2><1><0><15><1>urs_landis
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 299
> NAS-IP-Address = 192.168.95.59
> NAS-Identifier = "AP-09-023"
>
> Wed Mar 2 20:58:13 2005: DEBUG: Handling request with Handler
> 'NAS-Port-Type=Wireless-IEEE-802-11'
> Wed Mar 2 20:58:13 2005: DEBUG: Deleting session for urs_landis,
> 192.168.95.59, 299
> Wed Mar 2 20:58:13 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Mar 2 20:58:13 2005: DEBUG: Radius::AuthFILE looks for match with
> 0030.6503.0a96
> Wed Mar 2 20:58:13 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept
> explicitly by Auth-Type=Accept
> Wed Mar 2 20:58:13 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept
> explicitly by Auth-Type=Accept
> Wed Mar 2 20:58:13 2005: DEBUG: Access accepted for urs_landis
> Wed Mar 2 20:58:13 2005: DEBUG: Packet dump:
> *** Sending to 192.168.95.59 port 21645 ....
> Code: Access-Accept
> Identifier: 57
> Authentic: <179>"<2><189><203><1><26>B*Y9!SW<162><155>
> Attributes:
>
> My Config:
> # leap.cfg
> #
>
> Foreground
> LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
>
> # User a lower trace level in production systems:
> Trace 4
>
> <Client DEFAULT>
> Secret scHoProet
> DupInterval 0
> </Client>
>
> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
> <AuthBy FILE>
> # AuthByPolicy ContinueWhileAccept
> Filename %D/addresses.mac
> AuthenticateAttribute Calling-Station-Id
> NoEAP
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> <AuthBy LDAP2>
> Identifier CheckLDAP
> Host 192.168.1.21
> BaseDN dc=hopro, dc=edu
> Version 3
> UsernameAttr uid
> ServerChecksPassword
> # EPType PAP
> # EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> # EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> # EAPTLS_CertificateType PEM
> # EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> # EAPTLS_PrivateKeyPassword whatever
> # EAPTLS_MaxFragmentSize 1000
> # AutoMPPEKeys
> # SearchFilter (&(uid=%1)(buildingName=WLAN))
> </AuthBy>
> </Handler>
>
> best regards
>
> Urs Landis
> ICT
> Kantonsschule
> Hohe Promenade
> Postfach
> Promenadengasse 11
> CH-8090 Zürich
> Tel: 044 - 268 36 29
> Nat: 079 - 400 40 01
> Am 02.03.2005 um 20:50 schrieb Hugh Irvine:
>
>>
>> Hello Urs -
>>
>> Please understand that it is impossible to help without seeing a
>> trace 4 debug showing what is happening.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 2 Mar 2005, at 20:25, Urs Landis wrote:
>>
>>> Phils config works fine!!!
>>>
>>> Now i try to build a config like phils but who checks first the mac
>>> address. I think I can make the MACaddress check in the outer part
>>> ans the LDAP in the inner part!
>>> But my config only make the MACaddress check, but this on and on and
>>> on and never stops! He never goes to the LDAP Part!!
>>>
>>> Please help!!!
>>>
>>> My new config file:
>>>
>>> # leap.cfg
>>> #
>>>
>>> Foreground
>>> LogStdout
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>>
>>> # User a lower trace level in production systems:
>>> Trace 4
>>>
>>> <Client DEFAULT>
>>> Secret scHoProet
>>> DupInterval 0
>>> </Client>
>>>
>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>> <AuthBy FILE>
>>> # AuthByPolicy ContinueWhileAccept
>>> Filename %D/addresses.mac
>>> AuthenticateAttribute Calling-Station-Id
>>> NoEAP
>>> </AuthBy>
>>> </Handler>
>>>
>>> <Handler TunnelledByTTLS=1>
>>> <AuthBy LDAP2>
>>> Identifier CheckLDAP
>>> Host 192.168.1.21
>>> BaseDN dc=hopro, dc=edu
>>> Version 3
>>> UsernameAttr uid
>>> ServerChecksPassword
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>> best regards
>>>
>>> Urs Landis
>>> ICT
>>> Kantonsschule
>>> Hohe Promenade
>>> Postfach
>>> Promenadengasse 11
>>> CH-8090 Zürich
>>> Tel: 044 - 268 36 29
>>> Nat: 079 - 400 40 01
>>> Am 02.03.2005 um 15:25 schrieb Hugh Irvine:
>>>
>>>>
>>>> Hello Urs -
>>>>
>>>> Further to this, here is another client:
>>>>
>>>> http://www.mtghouse.com/products/aegisclient/mac/index.shtml
>>>>
>>>> a Google search for "eap-ttls client" brings up lots of hits, and
>>>> there is a partial list here:
>>>>
>>>> http://www.open.com.au/radiator/technical.html#wireless
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 2 Mar 2005, at 09:04, Urs Landis wrote:
>>>>
>>>>> Hi Mike, hi Hugh
>>>>>
>>>>> I dont see the problem with the LEAP authentification to a Mac OS
>>>>> X Server. But i'am a dummy beginner!!!!
>>>>> In my Trace File the LDAP Server says :
>>>>> Tue Mar 1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>>> Tue Mar 1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
>>>>> Is it not possible to take that ACCEPT from AuthLDAP2 and finished?
>>>>> I know thats to easy,.......
>>>>>
>>>>> We work with a Mac OS X Serv, several Cisco AP1100, and
>>>>> theRadiator on Mac OS X, on a XServ Hardware.
>>>>> For the next weeks all this things (without the LDAP-Server) are
>>>>> in 'test-mode'. If it it helps there is no problem to give you an
>>>>> VPN-Access
>>>>>
>>>>>
>>>>>
>>>>> Best regards
>>>>>
>>>>> Urs Landis
>>>>> ICT
>>>>> Kantonsschule
>>>>> Hohe Promenade
>>>>> Postfach
>>>>> Promenadengasse 11
>>>>> CH-8090 Zürich
>>>>> Tel: 044 - 268 36 29
>>>>> Nat: 079 - 400 40 01
>>>>> Am 02.03.2005 um 01:04 schrieb Mike McCauley:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>>>>>>> Hello Urs -
>>>>>>>>
>>>>>>>> Your AuthBy FILE should only check the MAC addresses.
>>>>>>>>
>>>>>>>> # list MAC addresses
>>>>>>>>
>>>>>>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>>>>>>
>>>>>>>> ......
>>>>>>>>
>>>>>>>>
>>>>>>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>>>>>>
>>>>>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>>>>> AuthByPolicy ContinueWhileAccept
>>>>>>>> AuthBy CheckMACAddress
>>>>>>>> AuthBy CheckLDAP
>>>>>>>> </Handler>
>>>>>>>>
>>>>>>>> BTW - you can only store cleartext passwords when using LEAP.
>>>>>>>>
>>>>>>>> And I'm not sure whether ServerChecksPasswords will work in this
>>>>>>>> scenario.
>>>>>>>
>>>>>>> it will not.
>>>>>>>
>>>>>>> ServerChecksPassword just passes the username/password
>>>>>>> combination to
>>>>>>> the ldap bind. This rules out any challenge / response based
>>>>>>> authentication schemes like espcially chap and mschap2.
>>>>>>
>>>>>> Correct.
>>>>>>
>>>>>>>
>>>>>>> So CHAP is currently only possible if the password is accessible
>>>>>>> in
>>>>>>> cleartext via an LDAP attribute which is why we have not yet been
>>>>>>> able to get 802.1X PEAP to work with AuthLDAP2 against Active
>>>>>>> Diretory.
>>>>>>
>>>>>> Correct again.
>>>>>>
>>>>>> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and
>>>>>> PEAP-MSCHAPV2 to
>>>>>> work with AD is to use the AuthBy LSA module, which in turn
>>>>>> limits Radiator
>>>>>> to running on Windows.
>>>>>>
>>>>>> We note that Novell have released code showing how to fetch plain
>>>>>> passwords
>>>>>> from eDirectory by LDAP.
>>>>>>
>>>>>> I wonder if anyone can make a test eDirectory LDAP server
>>>>>> available to us
>>>>>> remotely for testing a solution?
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>>
>>>>>>> What I have been thinking about in this context is if there
>>>>>>> could be an
>>>>>>> advanced version of ServerChecksPassword called
>>>>>>> ServerChecksPasswordUsingSASL that would use sasl to attempt an
>>>>>>> ldap bind.
>>>>>>>
>>>>>>> Sasl should allow radiator to proxy the challenge response back
>>>>>>> to the nas.
>>>>>>>
>>>>>>> I am not sure if this could be done. If yes this could be big
>>>>>>> pain saver
>>>>>>> for all active directory installations.
>>>>>>>
>>>>>>> Greetings
>>>>>>> Christian
>>>>>>
>>>>>> --
>>>>>> Mike McCauley mikem at open.com.au
>>>>>> Open System Consultants Pty. Ltd Unix, Perl, Motif,
>>>>>> C++, WWW
>>>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>>>>> http://www.open.com.au
>>>>>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>>>>>
>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>> server
>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>>>>>> Emerald,
>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory,
>>>>>> EAP, TLS,
>>>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>>
>>>>
>>>> NB: I am travelling this week, so there may be delays in our
>>>> correspondence.
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>> Mit freundlichen Grüssen
>>>
>>>
>>> Urs Landis
>>> ICT
>>> Kantonsschule
>>> Hohe Promenade
>>> Postfach
>>> Promenadengasse 11
>>> CH-8090 Zürich
>>> Tel: 044 - 268 36 29
>>> Nat: 079 - 400 40 01
>>>
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list