(RADIATOR) problem with leap and ldap

Simon Merckx simon.merckx at virgajesse.be
Thu Mar 3 09:44:13 CST 2005 

I have configured cisco 1130 AP's to work with my radiator radius server. I use LEAP. This works fine when i use a local file with users in them. But when i try to use my ldap server(oracle) it fails. I have installed the latest patch(3.11) but that doesn't solve the problem. I have tested LDAP without LEAP and autheticated via radpwtst. This works fine. So my LDAP parameters in my config are good. Below are the last lines of output from radiator.
Below that is my configfile. The LDAP seems to give an accept, but radiator does not seem to understand it. It keeps giving "EAP result: 1, Bad LEAP Password"

Does anybody know the answer to my problem?

output:

Thu Mar  3 15:26:30 2005: DEBUG: LDAP got uid: mersi
Thu Mar  3 15:26:30 2005: DEBUG: Radius::AuthLDAP2 looks for match with mersi
Thu Mar  3 15:26:30 2005: DEBUG: Radius::AuthLDAP2 ACCEPT: 
Thu Mar  3 15:26:30 2005: DEBUG: EAP result: 1, Bad LEAP Password
Thu Mar  3 15:26:30 2005: INFO: Access rejected for mersi: Bad LEAP Password
Thu Mar  3 15:26:30 2005: DEBUG: Packet dump:
*** Sending to 10.10.10.10 port 21650 ....
Code:       Access-Reject
Identifier: 111
Authentic:  <245><175><224><227>7<190><135><186><240><163><157> <229>%<248><169>
Attributes:
        EAP-Message = <4><3><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

config:

Foreground
LogStdout
LogDir		.
DbDir		.
# User a lower trace level in production systems:
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	abc
	DupInterval 0
</Client>

<Realm DEFAULT>
#	<AuthBy FILE>
# This says to handle all EAP requests with LEAP
#		EAPType LEAP
# Authenticate from the users file.
# Caution: only plaintext passwords are supported
#		Filename usersVJZ
#	</AuthBy>
	<AuthBy LDAP2>
		# Tell Radiator how to talk to the LDAP server
		# This says to handle all EAP requests with LEAP
		EAPType LEAP
		#Host		localhost
		Host 		deimos.vjz
		#Host		oberon.vjz
		# You will only need these if your LDAP server
		# requires authentication. These are the examples
		# in a default OpenLDAP installation
		# see /etc/openldap/slapd.conf
		#AuthDN		cn=Manager, dc=example, dc=com
		#AuthPassword	secret

		# This the top of the search tree where users
		# will be found. It should match the configuration
		# of your server, see /etc/openldap/slapd.conf
		#BaseDN		dc=example, dc=com
		BaseDN		dc=deimos, dc=vjz
		#BaseDN		o=lan

		# This is the LDAP attribute to match the radius user name
		#UsernameAttr	cn
		UsernameAttr	cn

		# If you dont specify ServerChecksPassword, you
		# need to tell Radiator wjhich attribute contains
		# the password. It can be plaintext or encrypted
		#EncryptedPasswordAttr    userpasswd
		#PasswordAttr	userPassword
		ServerChecksPassword 1
		
		# You can use CheckAttr, ReplyAttr and AuthAttrDef
		# to specify check and reply attributes in the LDAP 
		# database. See the reference manual for more 
		# information
		#AuthAttrDef ipaddress,Framed-IP-Address,reply

		# These are the classic things to add to each users 
		# reply to allow a PPP dialup session. It may be 
		# different for your NAS. This will add some 
		# reply items to everyone's reply
		AddToReply Framed-Protocol = PPP,\
        		Framed-IP-Netmask = 255.255.255.255,\
        		Framed-Routing = None,\
        		Framed-MTU = 1500,\
			Framed-Compression = Van-Jacobson-TCP-IP

		# You can enable debugging of the Net::LDAP
		# module with this:
		#Debug 255

		# With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and better
		# by setting UseSSL or UseTLS. Not supported on Windows
		#UseSSL
		# UseTLS
		# If you set UseSSL or UseTLS, also need to set these:
		#SSLCAClientCert certificates/cert-clt.pem
		#SSLCAClientKey whatever
		#  (certificates in PEM format)
		# Also need to set one of:
		#SSLCAFile certificates/demoCA/cacert.pem
		# SSLCAPath /path/to/file/containing/certificate/of/CA
		#  (certificates in PEM format)
		# These set the corresponding parameters in the 
		# LDAPS connection (see perl-ldap docs)
		# Requires IO::Socket::SSL, Net::SSLeay and openssl

		# You can control the timout for connection failure,
		# plus the backoff time after failure. Timout defaults
		# to 10 secs and FailureBackoffTime to 10 mins
		# Timeout 2
		# FailureBackoffTime 10

		# With PostSearchHook you can do your own processing
		# of the LDAP data. 
		# Arg 0 is the AuthBy LDAP object
		# Arg 1 is the user name being authenticated
		# Arg 2 is the received request packet
		# Arg 3 is the user object holding check and reply
		#  items for this user
		# Arg 4 is the search results handle, whose type
		#   depends on whether its LDAP, LDAP2, or LDAPSDK
		#PostSearchHook sub {print "PostSearchHook @_\n";\
		#	my $attr = $_[4]->get('someldapattr');\
		#	print "get attribute $attr\n";}

		# You can control the LDAP protocol version to be used
		# to talk to the LDAP server. OpenLDAP 2 requires
		# Version 3 unless you have 'allow bind_v2' in your
		# slapd.conf. Defaults to version 2			
		Version 3
	</AuthBy>
</Realm>


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list