(RADIATOR) problem with leap and ldap

Simon Merckx simon.merckx at virgajesse.be
Wed Mar 9 06:17:45 CST 2005 

Hello Mike,

Active directory is not an option because I run radiator on Linux. But I decided not to use LEAP because of the dictionary attack that is availble. I am runnning EAP-TTLS now. It works fine with my LDAP server.

Thanks for the advice,

Simon

-----Oorspronkelijk bericht-----
Van: owner-radiator at open.com.au
[mailto:owner-radiator at open.com.au]Namens Mike McCauley
Verzonden: vrijdag 4 maart 2005 10:04
Aan: simon.merckx at virgajesse.be
CC: radiator at open.com.au
Onderwerp: Re: (RADIATOR) problem with leap and ldap


Hello Simon,

Yor LDAP server is configured for ServerChecksPassword, which is incompatible
with LEAP and and any other authenticaiton method that uses hashed passwords
(eg MD5, CHAP, MSHAP, MSCHAPV2 etc).

In order to authenticate LEAP with LDAP, you need to arrange for your LDAP
database to contain each users password in formats:

plaintext
NT HAshed format
 or
reversible encryption (RCrypt) format.

Im not sure if this is what you are trying to do, but... it is possible to
authenticate LEAP, MSCHAP etc directly to Active Directory, but only if you
use AuthBy LSA, which in turn limits you to running Radiator on Windows.

Cheers.


On Friday 04 March 2005 01:44, Simon Merckx wrote:
> I have configured cisco 1130 AP's to work with my radiator radius server. I
> use LEAP. This works fine when i use a local file with users in them. But
> when i try to use my ldap server(oracle) it fails. I have installed the
> latest patch(3.11) but that doesn't solve the problem. I have tested LDAP
> without LEAP and autheticated via radpwtst. This works fine. So my LDAP
> parameters in my config are good. Below are the last lines of output from
> radiator. Below that is my configfile. The LDAP seems to give an accept,
> but radiator does not seem to understand it. It keeps giving "EAP result:
> 1, Bad LEAP Password"
>
> Does anybody know the answer to my problem?
>
> output:
>
> Thu Mar  3 15:26:30 2005: DEBUG: LDAP got uid: mersi> Thu Mar  3 15:26:30 2005: DEBUG: Radius::AuthLDAP2 looks for match with
> mersi Thu Mar  3 15:26:30 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Thu Mar  3 15:26:30 2005: DEBUG: EAP result: 1, Bad LEAP Password
> Thu Mar  3 15:26:30 2005: INFO: Access rejected for mersi: Bad LEAP
> Password Thu Mar  3 15:26:30 2005: DEBUG: Packet dump:
> *** Sending to 10.10.10.10 port 21650 ....
> Code:       Access-Reject
> Identifier: 111
> Authentic:  <245><175><224><227>7<190><135><186><240><163><157>
> <229>%<248><169> Attributes:
>         EAP-Message = <4><3><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request
> Denied"
>
> config:
>
> Foreground
> LogStdout
> LogDir		.
> DbDir		.
> # User a lower trace level in production systems:
> Trace 		4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> 	Secret	abc
> 	DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> #	<AuthBy FILE>
> # This says to handle all EAP requests with LEAP
> #		EAPType LEAP
> # Authenticate from the users file.
> # Caution: only plaintext passwords are supported
> #		Filename usersVJZ
> #	</AuthBy>
> 	<AuthBy LDAP2>
> 		# Tell Radiator how to talk to the LDAP server
> 		# This says to handle all EAP requests with LEAP
> 		EAPType LEAP
> 		#Host		localhost
> 		Host 		deimos.vjz
> 		#Host		oberon.vjz
> 		# You will only need these if your LDAP server
> 		# requires authentication. These are the examples
> 		# in a default OpenLDAP installation
> 		# see /etc/openldap/slapd.conf
> 		#AuthDN		cn=Manager, dc=example, dc=com
> 		#AuthPassword	secret
>
> 		# This the top of the search tree where users
> 		# will be found. It should match the configuration
> 		# of your server, see /etc/openldap/slapd.conf
> 		#BaseDN		dc=example, dc=com
> 		BaseDN		dc=deimos, dc=vjz
> 		#BaseDN		o=lan
>
> 		# This is the LDAP attribute to match the radius user name
> 		#UsernameAttr	cn
> 		UsernameAttr	cn
>
> 		# If you dont specify ServerChecksPassword, you
> 		# need to tell Radiator wjhich attribute contains
> 		# the password. It can be plaintext or encrypted
> 		#EncryptedPasswordAttr    userpasswd
> 		#PasswordAttr	userPassword
> 		ServerChecksPassword 1
>
> 		# You can use CheckAttr, ReplyAttr and AuthAttrDef
> 		# to specify check and reply attributes in the LDAP
> 		# database. See the reference manual for more
> 		# information
> 		#AuthAttrDef ipaddress,Framed-IP-Address,reply
>
> 		# These are the classic things to add to each users
> 		# reply to allow a PPP dialup session. It may be
> 		# different for your NAS. This will add some
> 		# reply items to everyone's reply
> 		AddToReply Framed-Protocol = PPP,\
>         		Framed-IP-Netmask = 255.255.255.255,\
>         		Framed-Routing = None,\
>         		Framed-MTU = 1500,\
> 			Framed-Compression = Van-Jacobson-TCP-IP
>
> 		# You can enable debugging of the Net::LDAP
> 		# module with this:
> 		#Debug 255
>
> 		# With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and better
> 		# by setting UseSSL or UseTLS. Not supported on Windows
> 		#UseSSL
> 		# UseTLS
> 		# If you set UseSSL or UseTLS, also need to set these:
> 		#SSLCAClientCert certificates/cert-clt.pem
> 		#SSLCAClientKey whatever
> 		#  (certificates in PEM format)
> 		# Also need to set one of:
> 		#SSLCAFile certificates/demoCA/cacert.pem
> 		# SSLCAPath /path/to/file/containing/certificate/of/CA
> 		#  (certificates in PEM format)
> 		# These set the corresponding parameters in the
> 		# LDAPS connection (see perl-ldap docs)
> 		# Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> 		# You can control the timout for connection failure,
> 		# plus the backoff time after failure. Timout defaults
> 		# to 10 secs and FailureBackoffTime to 10 mins
> 		# Timeout 2
> 		# FailureBackoffTime 10
>
> 		# With PostSearchHook you can do your own processing
> 		# of the LDAP data.
> 		# Arg 0 is the AuthBy LDAP object
> 		# Arg 1 is the user name being authenticated
> 		# Arg 2 is the received request packet
> 		# Arg 3 is the user object holding check and reply
> 		#  items for this user
> 		# Arg 4 is the search results handle, whose type
> 		#   depends on whether its LDAP, LDAP2, or LDAPSDK
> 		#PostSearchHook sub {print "PostSearchHook @_\n";\
> 		#	my $attr = $_[4]->get('someldapattr');\
> 		#	print "get attribute $attr\n";}
>
> 		# You can control the LDAP protocol version to be used
> 		# to talk to the LDAP server. OpenLDAP 2 requires
> 		# Version 3 unless you have 'allow bind_v2' in your
> 		# slapd.conf. Defaults to version 2
> 		Version 3
> 	</AuthBy>
> </Realm>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list