(RADIATOR) Mac-Adress Check and LDAP on OS X
Hugh Irvine
hugh at open.com.au
Fri Mar 4 02:05:36 CST 2005
Hello Urs -
Yes I understand, but let me try to explain how EAP authentication
works. There is a sequence of EAP messages that are exchanged by the
client and the Radiator server (the exact sequence depends on what form
of EAP you are using), and eventually the "inner" request which
contains the real authentication data is processed. Therefore you need
Handlers for both the "outer" EAP exchanges, and for the "inner"
request (as identified by the TunnelledByTTLS=1 tag).
In your case, as you want to check the MAC address first of all, your
"outer" Handler must use a first AuthBy clause with NoEAP to check the
MAC address, then a second AuthBy clause to deal with the "outer" EAP
exchanges. Then you need the second Handler for the "inner" request
which will do the actual authentication against the LDAP directory.
Therefore as mentioned in my previous mail, your first Handler needs
two AuthBy clauses, the first with NoEAP to check the MAC address and a
second AuthBy clause to deal with the "outer" EAP exchanges.
You can follow everything that happens by looking at a trace 4 debug
from Radiator showing the "outer" EAP exchanges and the derived "inner"
request.
Hope that helps
regards
Hugh
On 4 Mar 2005, at 08:17, Urs Landis wrote:
> Hi Hugh
> just for understanding, I don't want to check Users local, i want
> first make a local check for MAC-address and afterwards a check for
> username and password to the LDAP! Both things works great, i have
> only a problem with get this two togehter in one config!
> Mit freundlichen Grüssen
>
>
> Urs Landis
> ICT
> Kantonsschule
> Hohe Promenade
> Postfach
> Promenadengasse 11
> CH-8090 Zürich
> Tel: 044 - 268 36 29
> Nat: 079 - 400 40 01
> Am 03.03.2005 um 07:45 schrieb Hugh Irvine:
>
>>
>> Hello Urs -
>>
>> The problem here is that you do not have anything configured to do
>> EAP in your first Handler.
>>
>> Your AuthBy clause is only doing the MAC address check without EAP
>> and there is nothing doing EAP, so you will need to add a second
>> AuthBy FILE to deal with the EAP part:
>>
>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>
>> AuthByPolicy ContinueWhileAccept
>>
>> <AuthBy FILE>
>> Filename %D/addresses.mac
>> AuthenticateAttribute Calling-Station-Id
>> NoEAP
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Filename %D/users
>> EAPType PEAP
>> .......
>> </AuthBy>
>>
>> </Handler>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 2 Mar 2005, at 21:01, Urs Landis wrote:
>>
>>> Hugh
>>> here the Trace 4 log and my config
>>>
>>> Trace 4 File:
>>> Wed Mar 2 20:58:12 2005: DEBUG: Packet dump:
>>> *** Received from 192.168.95.59 port 21645 ....
>>> Code: Access-Request
>>> Identifier: 56
>>> Authentic: q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
>>> Attributes:
>>> User-Name = "urs_landis"
>>> Framed-MTU = 1400
>>> Called-Station-Id = "0013.19fc.2f90"
>>> Calling-Station-Id = "0030.6503.0a96"
>>> Service-Type = Login-User
>>> Message-Authenticator =
>>> <232>|<157><255><255><148><7><181><11>f<143><194><193><232><170>c
>>> EAP-Message = <2><1><0><15><1>urs_landis
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> NAS-Port = 298
>>> NAS-IP-Address = 192.168.95.59
>>> NAS-Identifier = "AP-09-023"
>>>
>>> Wed Mar 2 20:58:12 2005: DEBUG: Handling request with Handler
>>> 'NAS-Port-Type=Wireless-IEEE-802-11'
>>> Wed Mar 2 20:58:12 2005: DEBUG: Deleting session for urs_landis,
>>> 192.168.95.59, 298
>>> Wed Mar 2 20:58:12 2005: DEBUG: Handling with Radius::AuthFILE:
>>> Wed Mar 2 20:58:12 2005: DEBUG: Radius::AuthFILE looks for match
>>> with 0030.6503.0a96
>>> Wed Mar 2 20:58:12 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept
>>> explicitly by Auth-Type=Accept
>>> Wed Mar 2 20:58:12 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept
>>> explicitly by Auth-Type=Accept
>>> Wed Mar 2 20:58:12 2005: DEBUG: Access accepted for urs_landis
>>> Wed Mar 2 20:58:12 2005: DEBUG: Packet dump:
>>> *** Sending to 192.168.95.59 port 21645 ....
>>> Code: Access-Accept
>>> Identifier: 56
>>> Authentic: q2<23><251>.{Y<184><141>.<136>J<147>s^<137>
>>> Attributes:
>>>
>>> Wed Mar 2 20:58:13 2005: DEBUG: Packet dump:
>>> *** Received from 192.168.95.59 port 21645 ....
>>> Code: Access-Request
>>> Identifier: 57
>>> Authentic: <179>"<2><189><203><1><26>B*Y9!SW<162><155>
>>> Attributes:
>>> User-Name = "urs_landis"
>>> Framed-MTU = 1400
>>> Called-Station-Id = "0013.19fc.2f90"
>>> Calling-Station-Id = "0030.6503.0a96"
>>> Service-Type = Login-User
>>> Message-Authenticator = :<30><146>T^Ezh<129>b7"<142>~O$
>>> EAP-Message = <2><1><0><15><1>urs_landis
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> NAS-Port = 299
>>> NAS-IP-Address = 192.168.95.59
>>> NAS-Identifier = "AP-09-023"
>>>
>>> Wed Mar 2 20:58:13 2005: DEBUG: Handling request with Handler
>>> 'NAS-Port-Type=Wireless-IEEE-802-11'
>>> Wed Mar 2 20:58:13 2005: DEBUG: Deleting session for urs_landis,
>>> 192.168.95.59, 299
>>> Wed Mar 2 20:58:13 2005: DEBUG: Handling with Radius::AuthFILE:
>>> Wed Mar 2 20:58:13 2005: DEBUG: Radius::AuthFILE looks for match
>>> with 0030.6503.0a96
>>> Wed Mar 2 20:58:13 2005: DEBUG: Radius::AuthFILE ACCEPT: Accept
>>> explicitly by Auth-Type=Accept
>>> Wed Mar 2 20:58:13 2005: DEBUG: AuthBy FILE result: ACCEPT, Accept
>>> explicitly by Auth-Type=Accept
>>> Wed Mar 2 20:58:13 2005: DEBUG: Access accepted for urs_landis
>>> Wed Mar 2 20:58:13 2005: DEBUG: Packet dump:
>>> *** Sending to 192.168.95.59 port 21645 ....
>>> Code: Access-Accept
>>> Identifier: 57
>>> Authentic: <179>"<2><189><203><1><26>B*Y9!SW<162><155>
>>> Attributes:
>>>
>>> My Config:
>>> # leap.cfg
>>> #
>>>
>>> Foreground
>>> LogStdout
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>>
>>> # User a lower trace level in production systems:
>>> Trace 4
>>>
>>> <Client DEFAULT>
>>> Secret scHoProet
>>> DupInterval 0
>>> </Client>
>>>
>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>> <AuthBy FILE>
>>> # AuthByPolicy ContinueWhileAccept
>>> Filename %D/addresses.mac
>>> AuthenticateAttribute Calling-Station-Id
>>> NoEAP
>>> </AuthBy>
>>> </Handler>
>>>
>>> <Handler TunnelledByTTLS=1>
>>> <AuthBy LDAP2>
>>> Identifier CheckLDAP
>>> Host 192.168.1.21
>>> BaseDN dc=hopro, dc=edu
>>> Version 3
>>> UsernameAttr uid
>>> ServerChecksPassword
>>> # EPType PAP
>>> # EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>> # EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>> # EAPTLS_CertificateType PEM
>>> # EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>> # EAPTLS_PrivateKeyPassword whatever
>>> # EAPTLS_MaxFragmentSize 1000
>>> # AutoMPPEKeys
>>> # SearchFilter (&(uid=%1)(buildingName=WLAN))
>>> </AuthBy>
>>> </Handler>
>>>
>>> best regards
>>>
>>> Urs Landis
>>> ICT
>>> Kantonsschule
>>> Hohe Promenade
>>> Postfach
>>> Promenadengasse 11
>>> CH-8090 Zürich
>>> Tel: 044 - 268 36 29
>>> Nat: 079 - 400 40 01
>>> Am 02.03.2005 um 20:50 schrieb Hugh Irvine:
>>>
>>>>
>>>> Hello Urs -
>>>>
>>>> Please understand that it is impossible to help without seeing a
>>>> trace 4 debug showing what is happening.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 2 Mar 2005, at 20:25, Urs Landis wrote:
>>>>
>>>>> Phils config works fine!!!
>>>>>
>>>>> Now i try to build a config like phils but who checks first the
>>>>> mac address. I think I can make the MACaddress check in the outer
>>>>> part ans the LDAP in the inner part!
>>>>> But my config only make the MACaddress check, but this on and on
>>>>> and on and never stops! He never goes to the LDAP Part!!
>>>>>
>>>>> Please help!!!
>>>>>
>>>>> My new config file:
>>>>>
>>>>> # leap.cfg
>>>>> #
>>>>>
>>>>> Foreground
>>>>> LogStdout
>>>>> LogDir /var/log/radius
>>>>> DbDir /etc/radiator
>>>>>
>>>>> # User a lower trace level in production systems:
>>>>> Trace 4
>>>>>
>>>>> <Client DEFAULT>
>>>>> Secret scHoProet
>>>>> DupInterval 0
>>>>> </Client>
>>>>>
>>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>> <AuthBy FILE>
>>>>> # AuthByPolicy ContinueWhileAccept
>>>>> Filename %D/addresses.mac
>>>>> AuthenticateAttribute Calling-Station-Id
>>>>> NoEAP
>>>>> </AuthBy>
>>>>> </Handler>
>>>>>
>>>>> <Handler TunnelledByTTLS=1>
>>>>> <AuthBy LDAP2>
>>>>> Identifier CheckLDAP
>>>>> Host 192.168.1.21
>>>>> BaseDN dc=hopro, dc=edu
>>>>> Version 3
>>>>> UsernameAttr uid
>>>>> ServerChecksPassword
>>>>> </AuthBy>
>>>>> </Handler>
>>>>>
>>>>>
>>>>> best regards
>>>>>
>>>>> Urs Landis
>>>>> ICT
>>>>> Kantonsschule
>>>>> Hohe Promenade
>>>>> Postfach
>>>>> Promenadengasse 11
>>>>> CH-8090 Zürich
>>>>> Tel: 044 - 268 36 29
>>>>> Nat: 079 - 400 40 01
>>>>> Am 02.03.2005 um 15:25 schrieb Hugh Irvine:
>>>>>
>>>>>>
>>>>>> Hello Urs -
>>>>>>
>>>>>> Further to this, here is another client:
>>>>>>
>>>>>> http://www.mtghouse.com/products/aegisclient/mac/index.shtml
>>>>>>
>>>>>> a Google search for "eap-ttls client" brings up lots of hits, and
>>>>>> there is a partial list here:
>>>>>>
>>>>>> http://www.open.com.au/radiator/technical.html#wireless
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 2 Mar 2005, at 09:04, Urs Landis wrote:
>>>>>>
>>>>>>> Hi Mike, hi Hugh
>>>>>>>
>>>>>>> I dont see the problem with the LEAP authentification to a Mac
>>>>>>> OS X Server. But i'am a dummy beginner!!!!
>>>>>>> In my Trace File the LDAP Server says :
>>>>>>> Tue Mar 1 19:25:25 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>>>>> Tue Mar 1 19:25:25 2005: DEBUG: EAP result: 1, Bad LEAP Password
>>>>>>> Is it not possible to take that ACCEPT from AuthLDAP2 and
>>>>>>> finished?
>>>>>>> I know thats to easy,.......
>>>>>>>
>>>>>>> We work with a Mac OS X Serv, several Cisco AP1100, and
>>>>>>> theRadiator on Mac OS X, on a XServ Hardware.
>>>>>>> For the next weeks all this things (without the LDAP-Server) are
>>>>>>> in 'test-mode'. If it it helps there is no problem to give you
>>>>>>> an VPN-Access
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> Urs Landis
>>>>>>> ICT
>>>>>>> Kantonsschule
>>>>>>> Hohe Promenade
>>>>>>> Postfach
>>>>>>> Promenadengasse 11
>>>>>>> CH-8090 Zürich
>>>>>>> Tel: 044 - 268 36 29
>>>>>>> Nat: 079 - 400 40 01
>>>>>>> Am 02.03.2005 um 01:04 schrieb Mike McCauley:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> On Wednesday 02 March 2005 04:57, Christian Kratzer wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>>>>>>>>>> Hello Urs -
>>>>>>>>>>
>>>>>>>>>> Your AuthBy FILE should only check the MAC addresses.
>>>>>>>>>>
>>>>>>>>>> # list MAC addresses
>>>>>>>>>>
>>>>>>>>>> 0030.6503.0a96 Auth-Type = ACCEPT
>>>>>>>>>>
>>>>>>>>>> ......
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>>>>>>>>>
>>>>>>>>>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>>>>>>>>>> AuthByPolicy ContinueWhileAccept
>>>>>>>>>> AuthBy CheckMACAddress
>>>>>>>>>> AuthBy CheckLDAP
>>>>>>>>>> </Handler>
>>>>>>>>>>
>>>>>>>>>> BTW - you can only store cleartext passwords when using LEAP.
>>>>>>>>>>
>>>>>>>>>> And I'm not sure whether ServerChecksPasswords will work in
>>>>>>>>>> this
>>>>>>>>>> scenario.
>>>>>>>>>
>>>>>>>>> it will not.
>>>>>>>>>
>>>>>>>>> ServerChecksPassword just passes the username/password
>>>>>>>>> combination to
>>>>>>>>> the ldap bind. This rules out any challenge / response based
>>>>>>>>> authentication schemes like espcially chap and mschap2.
>>>>>>>>
>>>>>>>> Correct.
>>>>>>>>
>>>>>>>>>
>>>>>>>>> So CHAP is currently only possible if the password is
>>>>>>>>> accessible in
>>>>>>>>> cleartext via an LDAP attribute which is why we have not yet
>>>>>>>>> been
>>>>>>>>> able to get 802.1X PEAP to work with AuthLDAP2 against Active
>>>>>>>>> Diretory.
>>>>>>>>
>>>>>>>> Correct again.
>>>>>>>>
>>>>>>>> Right now the only way to make CHAP, MSCHAP, MSCHAPV2 and
>>>>>>>> PEAP-MSCHAPV2 to
>>>>>>>> work with AD is to use the AuthBy LSA module, which in turn
>>>>>>>> limits Radiator
>>>>>>>> to running on Windows.
>>>>>>>>
>>>>>>>> We note that Novell have released code showing how to fetch
>>>>>>>> plain passwords
>>>>>>>> from eDirectory by LDAP.
>>>>>>>>
>>>>>>>> I wonder if anyone can make a test eDirectory LDAP server
>>>>>>>> available to us
>>>>>>>> remotely for testing a solution?
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>>
>>>>>>>>> What I have been thinking about in this context is if there
>>>>>>>>> could be an
>>>>>>>>> advanced version of ServerChecksPassword called
>>>>>>>>> ServerChecksPasswordUsingSASL that would use sasl to attempt
>>>>>>>>> an ldap bind.
>>>>>>>>>
>>>>>>>>> Sasl should allow radiator to proxy the challenge response
>>>>>>>>> back to the nas.
>>>>>>>>>
>>>>>>>>> I am not sure if this could be done. If yes this could be big
>>>>>>>>> pain saver
>>>>>>>>> for all active directory installations.
>>>>>>>>>
>>>>>>>>> Greetings
>>>>>>>>> Christian
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike McCauley mikem at open.com.au
>>>>>>>> Open System Consultants Pty. Ltd Unix, Perl, Motif,
>>>>>>>> C++, WWW
>>>>>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>>>>>>> http://www.open.com.au
>>>>>>>> Phone +61 7 5598-7474 Fax +61 7
>>>>>>>> 5598-7070
>>>>>>>>
>>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>>> server
>>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>>>>>>>> Emerald,
>>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory,
>>>>>>>> EAP, TLS,
>>>>>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>> NB: I am travelling this week, so there may be delays in our
>>>>>> correspondence.
>>>>>>
>>>>>> --
>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>> server
>>>>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS
>>>>>> X.
>>>>>> -
>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>> extensible,
>>>>>> flexible with hardware, software, platform and database
>>>>>> independence.
>>>>>> -
>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>> systems.
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>>
>>>>> Mit freundlichen Grüssen
>>>>>
>>>>>
>>>>> Urs Landis
>>>>> ICT
>>>>> Kantonsschule
>>>>> Hohe Promenade
>>>>> Postfach
>>>>> Promenadengasse 11
>>>>> CH-8090 Zürich
>>>>> Tel: 044 - 268 36 29
>>>>> Nat: 079 - 400 40 01
>>>>>
>>>>
>>>> NB: I am travelling this week, so there may be delays in our
>>>> correspondence.
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list