(RADIATOR) Mac-Adress Check and LDAP on OS X

Urs Landis urs.landis at mac.com
Fri Mar 4 01:17:51 CST 2005


Hi Hugh
just for understanding, I don't want to check Users local, i want first 
make a local check for MAC-address and afterwards a check for username 
and password to the LDAP! Both things works great, i have only a 
problem with get this two togehter in one config!
Mit freundlichen Grüssen


Urs Landis
ICT
Kantonsschule
Hohe Promenade
Postfach
Promenadengasse 11
CH-8090 Zürich
Tel: 044 - 268 36 29
Nat: 079 - 400 40 01
Am 03.03.2005 um 07:45 schrieb Hugh Irvine:

>
> Hello Urs -
>
> The problem here is that you do not have anything configured to do EAP 
> in your first Handler.
>
> Your AuthBy clause is only doing the MAC address check without EAP and 
> there is nothing doing EAP, so you will need to add a second AuthBy 
> FILE to deal with the EAP part:
>
> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>
>        AuthByPolicy ContinueWhileAccept
>
>         <AuthBy FILE>
>                 Filename %D/addresses.mac
>                 AuthenticateAttribute Calling-Station-Id
>                 NoEAP
>         </AuthBy>
>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP
>                 .......
>         </AuthBy>
>
> </Handler>
>
> regards
>
> Hugh
>
>
> On 2 Mar 2005, at 21:01, Urs Landis wrote:
>
>> Hugh
>> here the Trace 4 log and my config
>>
>> Trace 4 File:
>> Wed Mar  2 20:58:12 2005: DEBUG: Packet dump:
>> *** Received from 192.168.95.59 port 21645 ....
>> Code:       Access-Request
>> Identifier: 56
>> Authentic:  q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
>> Attributes:
>>         User-Name = "urs_landis"
>>         Framed-MTU = 1400
>>         Called-Station-Id = "0013.19fc.2f90"
>>         Calling-Station-Id = "0030.6503.0a96"
>>         Service-Type = Login-User
>>         Message-Authenticator = 
>> <232>|<157><255><255><148><7><181><11>f<143><194><193><232><170>c
>>         EAP-Message = <2><1><0><15><1>urs_landis
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         NAS-Port = 298
>>         NAS-IP-Address = 192.168.95.59
>>         NAS-Identifier = "AP-09-023"
>>
>> Wed Mar  2 20:58:12 2005: DEBUG: Handling request with Handler 
>> 'NAS-Port-Type=Wireless-IEEE-802-11'
>> Wed Mar  2 20:58:12 2005: DEBUG:  Deleting session for urs_landis, 
>> 192.168.95.59, 298
>> Wed Mar  2 20:58:12 2005: DEBUG: Handling with Radius::AuthFILE:
>> Wed Mar  2 20:58:12 2005: DEBUG: Radius::AuthFILE looks for match 
>> with 0030.6503.0a96
>> Wed Mar  2 20:58:12 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept 
>> explicitly by Auth-Type=Accept
>> Wed Mar  2 20:58:12 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept 
>> explicitly by Auth-Type=Accept
>> Wed Mar  2 20:58:12 2005: DEBUG: Access accepted for urs_landis
>> Wed Mar  2 20:58:12 2005: DEBUG: Packet dump:
>> *** Sending to 192.168.95.59 port 21645 ....
>> Code:       Access-Accept
>> Identifier: 56
>> Authentic:  q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
>> Attributes:
>>
>> Wed Mar  2 20:58:13 2005: DEBUG: Packet dump:
>> *** Received from 192.168.95.59 port 21645 ....
>> Code:       Access-Request
>> Identifier: 57
>> Authentic:  <179>"<2><189><203><1><26>B*Y9!SW<162><155>
>> Attributes:
>>         User-Name = "urs_landis"
>>         Framed-MTU = 1400
>>         Called-Station-Id = "0013.19fc.2f90"
>>         Calling-Station-Id = "0030.6503.0a96"
>>         Service-Type = Login-User
>>         Message-Authenticator = :<30><146>T^Ezh<129>b7"<142>~O$
>>         EAP-Message = <2><1><0><15><1>urs_landis
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         NAS-Port = 299
>>         NAS-IP-Address = 192.168.95.59
>>         NAS-Identifier = "AP-09-023"
>>
>> Wed Mar  2 20:58:13 2005: DEBUG: Handling request with Handler 
>> 'NAS-Port-Type=Wireless-IEEE-802-11'
>> Wed Mar  2 20:58:13 2005: DEBUG:  Deleting session for urs_landis, 
>> 192.168.95.59, 299
>> Wed Mar  2 20:58:13 2005: DEBUG: Handling with Radius::AuthFILE:
>> Wed Mar  2 20:58:13 2005: DEBUG: Radius::AuthFILE looks for match 
>> with 0030.6503.0a96
>> Wed Mar  2 20:58:13 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept 
>> explicitly by Auth-Type=Accept
>> Wed Mar  2 20:58:13 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept 
>> explicitly by Auth-Type=Accept
>> Wed Mar  2 20:58:13 2005: DEBUG: Access accepted for urs_landis
>> Wed Mar  2 20:58:13 2005: DEBUG: Packet dump:
>> *** Sending to 192.168.95.59 port 21645 ....
>> Code:       Access-Accept
>> Identifier: 57
>> Authentic:  <179>"<2><189><203><1><26>B*Y9!SW<162><155>
>> Attributes:
>>
>> My Config:
>> # leap.cfg
>> #
>>
>> Foreground
>> LogStdout
>> LogDir          /var/log/radius
>> DbDir           /etc/radiator
>>
>> # User a lower trace level in production systems:
>> Trace           4
>>
>> <Client DEFAULT>
>>         Secret  scHoProet
>>         DupInterval 0
>> </Client>
>>
>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>         <AuthBy FILE>
>> #               AuthByPolicy ContinueWhileAccept
>>                 Filename %D/addresses.mac
>>                 AuthenticateAttribute Calling-Station-Id
>>                 NoEAP
>>         </AuthBy>
>> </Handler>
>>
>> <Handler TunnelledByTTLS=1>
>>         <AuthBy LDAP2>
>>                 Identifier CheckLDAP
>>                 Host            192.168.1.21
>>                 BaseDN          dc=hopro, dc=edu
>>                 Version         3
>>                 UsernameAttr    uid
>>                 ServerChecksPassword
>> #               EPType PAP
>> #               EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>> #               EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> #               EAPTLS_CertificateType PEM
>> #               EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> #               EAPTLS_PrivateKeyPassword whatever
>> #               EAPTLS_MaxFragmentSize 1000
>> #               AutoMPPEKeys
>> #               SearchFilter (&(uid=%1)(buildingName=WLAN))
>>         </AuthBy>
>> </Handler>
>>
>> best regards
>>
>> Urs Landis
>> ICT
>> Kantonsschule
>> Hohe Promenade
>> Postfach
>> Promenadengasse 11
>> CH-8090 Zürich
>> Tel: 044 - 268 36 29
>> Nat: 079 - 400 40 01
>> Am 02.03.2005 um 20:50 schrieb Hugh Irvine:
>>
>>>
>>> Hello Urs -
>>>
>>> Please understand that it is impossible to help without seeing a 
>>> trace 4 debug showing what is happening.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 2 Mar 2005, at 20:25, Urs Landis wrote:
>>>
>>>> Phils config works fine!!!
>>>>
>>>> Now i try to build a config like phils but who checks first the mac 
>>>> address. I think I can make the MACaddress check in the outer part 
>>>> ans the LDAP in the inner part!
>>>> But my config only make the MACaddress check, but this on and on 
>>>> and on and never stops! He never goes to the LDAP Part!!
>>>>
>>>> Please help!!!
>>>>
>>>> My new config file:
>>>>
>>>> # leap.cfg
>>>> #
>>>>
>>>> Foreground
>>>> LogStdout
>>>> LogDir          /var/log/radius
>>>> DbDir           /etc/radiator
>>>>
>>>> # User a lower trace level in production systems:
>>>> Trace           4
>>>>
>>>> <Client DEFAULT>
>>>>         Secret  scHoProet
>>>>         DupInterval 0
>>>> </Client>
>>>>
>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>         <AuthBy FILE>
>>>> #               AuthByPolicy ContinueWhileAccept
>>>>                 Filename %D/addresses.mac
>>>>                 AuthenticateAttribute Calling-Station-Id
>>>>                 NoEAP
>>>>         </AuthBy>
>>>> </Handler>
>>>>
>>>> <Handler TunnelledByTTLS=1>
>>>>         <AuthBy LDAP2>
>>>>                 Identifier CheckLDAP
>>>>                 Host            192.168.1.21
>>>>                 BaseDN          dc=hopro, dc=edu
>>>>                 Version         3
>>>>                 UsernameAttr    uid
>>>>                 ServerChecksPassword
>>>>         </AuthBy>
>>>> </Handler>
>>>>
>>>>
>>>> best regards
>>>>
>>>> Urs Landis
>>>> ICT
>>>> Kantonsschule
>>>> Hohe Promenade
>>>> Postfach
>>>> Promenadengasse 11
>>>> CH-8090 Zürich
>>>> Tel: 044 - 268 36 29
>>>> Nat: 079 - 400 40 01
>>>> Am 02.03.2005 um 15:25 schrieb Hugh Irvine:
>>>>
>>>>>
>>>>> Hello Urs -
>>>>>
>>>>> Further to this, here is another client:
>>>>>
>>>>> 	http://www.mtghouse.com/products/aegisclient/mac/index.shtml
>>>>>
>>>>> a Google search for "eap-ttls client" brings up lots of hits, and 
>>>>> there is a partial list here:
>>>>>
>>>>> 	http://www.open.com.au/radiator/technical.html#wireless
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 2 Mar 2005, at 09:04, Urs Landis wrote:
>>>>>
>>>>>> Hi Mike, hi Hugh
>>>>>>
>>>>>> I dont see the problem with the LEAP authentification to a Mac OS 
>>>>>> X Server. But i'am a dummy beginner!!!!
>>>>>> In my Trace File the LDAP Server says :
>>>>>> Tue Mar  1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>>>> Tue Mar  1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
>>>>>> Is it not possible to take that ACCEPT from AuthLDAP2 and 
>>>>>> finished?
>>>>>> I know thats to easy,.......
>>>>>>
>>>>>> We work with a Mac OS X Serv, several Cisco AP1100, and 
>>>>>> theRadiator on Mac OS X, on a XServ Hardware.
>>>>>> For the next weeks all this things (without the LDAP-Server) are 
>>>>>> in 'test-mode'. If it it helps there is no problem to give you an 
>>>>>> VPN-Access
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> Urs Landis
>>>>>> ICT
>>>>>> Kantonsschule
>>>>>> Hohe Promenade
>>>>>> Postfach
>>>>>> Promenadengasse 11
>>>>>> CH-8090 Zürich
>>>>>> Tel: 044 - 268 36 29
>>>>>> Nat: 079 - 400 40 01
>>>>>> Am 02.03.2005 um 01:04 schrieb Mike McCauley:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>>>>>>>> Hello Urs -
>>>>>>>>>
>>>>>>>>> Your AuthBy FILE should only check the MAC addresses.
>>>>>>>>>
>>>>>>>>> # list MAC addresses
>>>>>>>>>
>>>>>>>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>>>>>>>
>>>>>>>>> ......
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>>>>>>>
>>>>>>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>>>>>>        AuthByPolicy ContinueWhileAccept
>>>>>>>>>        AuthBy CheckMACAddress
>>>>>>>>>        AuthBy CheckLDAP
>>>>>>>>> </Handler>
>>>>>>>>>
>>>>>>>>> BTW - you can only store cleartext passwords when using LEAP.
>>>>>>>>>
>>>>>>>>> And I'm not sure whether ServerChecksPasswords will work in 
>>>>>>>>> this
>>>>>>>>> scenario.
>>>>>>>>
>>>>>>>> it will not.
>>>>>>>>
>>>>>>>> ServerChecksPassword just passes the username/password 
>>>>>>>> combination to
>>>>>>>> the ldap bind.  This rules out any challenge / response based
>>>>>>>> authentication schemes like espcially chap and mschap2.
>>>>>>>
>>>>>>> Correct.
>>>>>>>
>>>>>>>>
>>>>>>>> So CHAP is currently only possible if the password is 
>>>>>>>> accessible in
>>>>>>>> cleartext via an LDAP attribute which is why we have not yet 
>>>>>>>> been
>>>>>>>> able to get 802.1X PEAP to work with AuthLDAP2 against Active 
>>>>>>>> Diretory.
>>>>>>>
>>>>>>> Correct again.
>>>>>>>
>>>>>>> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and 
>>>>>>> PEAP-MSCHAPV2 to
>>>>>>> work with AD is to use the AuthBy LSA module, which in turn 
>>>>>>> limits Radiator
>>>>>>> to running on Windows.
>>>>>>>
>>>>>>> We note that Novell have released code showing how to fetch 
>>>>>>> plain passwords
>>>>>>> from eDirectory by LDAP.
>>>>>>>
>>>>>>> I wonder if anyone can make a test eDirectory LDAP server 
>>>>>>> available to us
>>>>>>> remotely for testing a solution?
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>>
>>>>>>>> What I have been thinking about in this context is if there 
>>>>>>>> could be an
>>>>>>>> advanced version of ServerChecksPassword called
>>>>>>>> ServerChecksPasswordUsingSASL that would use sasl to attempt an 
>>>>>>>> ldap bind.
>>>>>>>>
>>>>>>>> Sasl should allow radiator to proxy the challenge response back 
>>>>>>>> to the nas.
>>>>>>>>
>>>>>>>> I am not sure if this could be done. If yes this could be big 
>>>>>>>> pain saver
>>>>>>>> for all active directory installations.
>>>>>>>>
>>>>>>>> Greetings
>>>>>>>> Christian
>>>>>>>
>>>>>>> -- 
>>>>>>> Mike McCauley                               mikem at open.com.au
>>>>>>> Open System Consultants Pty. Ltd            Unix, Perl, Motif, 
>>>>>>> C++, WWW
>>>>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
>>>>>>> http://www.open.com.au
>>>>>>> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>>>>>>>
>>>>>>> Radiator: the most portable, flexible and configurable RADIUS 
>>>>>>> server
>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, 
>>>>>>> Emerald,
>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, 
>>>>>>> EAP, TLS,
>>>>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>>>>
>>>>>>> --
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>
>>>>>>>
>>>>>
>>>>> NB: I am travelling this week, so there may be delays in our 
>>>>> correspondence.
>>>>>
>>>>> -- 
>>>>> Radiator: the most portable, flexible and configurable RADIUS 
>>>>> server
>>>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical, 
>>>>> extensible,
>>>>> flexible with hardware, software, platform and database 
>>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like 
>>>>> systems.
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>> Mit freundlichen Grüssen
>>>>
>>>>
>>>> Urs Landis
>>>> ICT
>>>> Kantonsschule
>>>> Hohe Promenade
>>>> Postfach
>>>> Promenadengasse 11
>>>> CH-8090 Zürich
>>>> Tel: 044 - 268 36 29
>>>> Nat: 079 - 400 40 01
>>>>
>>>
>>> NB: I am travelling this week, so there may be delays in our 
>>> correspondence.
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>
> NB: I am travelling this week, so there may be delays in our 
> correspondence.
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 13610 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050304/b509c52b/attachment.bin>


More information about the radiator mailing list