(RADIATOR) best method for Radiator and Open Directory?

Nigel Kersten nigel at cofa.unsw.edu.au
Wed Oct 12 01:09:13 CDT 2005 

Sure, but it's not *quite* working perfectly.

The two problems I'm having are:

1) I don't seem to be able to anonymously bind to the LDAP server,  
I'm having to specify AuthDN and AuthPassword. My server definitely  
allows anonymous binding.
2) I thought that this config would be restricting access to users  
who were in /etc/radiator/users, but it's actually only working if  
they're *not* in that file.

Other than that it's working ok.

--------------------
Foreground
LogStdout
LogDir          .
DbDir           .
Trace           4

AuthPort        1812
AcctPort        1813

<Client DEFAULT>
         Secret  mysecret
         DupInterval 0
</Client>

<AuthBy LDAP2>
Identifier      CheckLDAP
Host            godzilla.cofa.unsw.edu.au
BaseDN          cn=users,dc=cofa,dc=unsw,dc=edu,dc=au
AuthDN          uid=somefakeuser,cn=users,dc=cofa,dc=unsw,dc=edu,dc=au
AuthPassword    somefakepassword
UsernameAttr    uid
ServerChecksPassword
HoldServerConnection
AddToReply Framed-Protocol = PPP,\
         Framed-IP-Netmask = 255.255.255.255,\
         Framed-Routing = None,\
         Framed-MTU = 1500,\
         Framed-Compression = Van-Jacobson-TCP-IP
Version 3
AuthAttrDef     uid,User-Name,reply
</AuthBy>

<AuthBy FILE>
     Identifier  AuthFILE
     Filename %D/users
     EAPType TTLS,PEAP
     EAPTLS_CAFile %D/certificates/cacert.pem
     EAPTLS_CertificateFile %D/certificates/cert-srv.pem
     EAPTLS_CertificateType PEM
     EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
     EAPTLS_PrivateKeyPassword mysecretpassword
     #EAPTLS_RandomFile %D/certificates/random
     EAPTLS_MaxFragmentSize 1000
     #EAPTLS_DHFile %D/certificates/cert/dh
     #EAPTLS_CRLCheck
     #EAPTLS_CRLFile %D/certificates/crl.pem
     #EAPTLS_CRLFile %D/certificates/revocations.pem
     AutoMPPEKeys
     SSLeayTrace 4
     # EAPAnonymous anonymous at some.other.realm
     EAPAnonymous %0
     #EAPTLS_SessionResumption 0
     #EAPTLS_SessionResumptionLimit 10
     EAPTLS_PEAPVersion 0
     #EAPTLS_PEAPBrokenV1Label
</AuthBy>

<Handler NAS-Identifier=CofaWide>
         AuthBy  AuthFILE
</Handler>

<Handler TunnelledByTTLS=1>
         AuthBy  CheckLDAP
</Handler>
---------------



On 12/10/2005, at 2:50 PM, Hugh Irvine wrote:

>
> Hello Nigel -
>
> Yes your configuration is correct.
>
> Your only option with encrypted passwords in your user database is  
> TTLS-PAP.
>
> BTW - would you be agreeable to sending me a copy of your  
> configuration file (no details) so I can add it to the examples in  
> the "goodies" directory?
>
> We quite often get requests from people wanting to set up Radiator  
> in this  environment.
>
> thanks and regards
>
> Hugh
>
>
> On 11 Oct 2005, at 23:56, Nigel Kersten wrote:
>
>
>> Hi there.
>>
>> I'm currently evaluating Radiator, and just wanted to make sure  
>> that I've got things working in the best possible manner.
>>
>> I've got Radiator working with my Airport Extreme base stations,  
>> and authenticating against Open Directory, which is Apple's  
>> directory service, and it essentially consists of OpenLDAP, SASL  
>> and Kerberos.
>>
>> I'm currently working using EAP/TTLS with PAP as the inner  
>> authentication.
>>
>> Is this my best option considering that I wish to authenticate  
>> against an LDAP directory that doesn't contain the actual password?
>>
>>
>> --
>> Nigel Kersten [Senior Technical Officer]
>> College of Fine Arts, University of NSW, Australia.
>> CRICOS Provider Code: 00098G
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/ 
> archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>

--
Nigel Kersten [Senior Technical Officer]
College of Fine Arts, University of NSW, Australia.
CRICOS Provider Code: 00098G


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list