(RADIATOR) best method for Radiator and Open Directory?

Mike McCauley mikem at open.com.au
Wed Oct 12 01:24:08 CDT 2005


Hello Nigel,

On Wednesday 12 October 2005 16:09, Nigel Kersten wrote:
> Sure, but it's not *quite* working perfectly.
>
> The two problems I'm having are:
>
> 1) I don't seem to be able to anonymously bind to the LDAP server,
> I'm having to specify AuthDN and AuthPassword. My server definitely
> allows anonymous binding.

There was a problem with anonymous binding that was fixed in the latest 
Radiator patch set.

> 2) I thought that this config would be restricting access to users
> who were in /etc/radiator/users, but it's actually only working if
> they're *not* in that file.
>
> Other than that it's working ok.
>
> --------------------
> Foreground
> LogStdout
> LogDir          .
> DbDir           .
> Trace           4
>
> AuthPort        1812
> AcctPort        1813
>
> <Client DEFAULT>
>          Secret  mysecret
>          DupInterval 0
> </Client>
>
> <AuthBy LDAP2>
> Identifier      CheckLDAP
> Host            godzilla.cofa.unsw.edu.au
> BaseDN          cn=users,dc=cofa,dc=unsw,dc=edu,dc=au
> AuthDN          uid=somefakeuser,cn=users,dc=cofa,dc=unsw,dc=edu,dc=au
> AuthPassword    somefakepassword
> UsernameAttr    uid
> ServerChecksPassword
> HoldServerConnection
> AddToReply Framed-Protocol = PPP,\
>          Framed-IP-Netmask = 255.255.255.255,\
>          Framed-Routing = None,\
>          Framed-MTU = 1500,\
>          Framed-Compression = Van-Jacobson-TCP-IP
> Version 3
> AuthAttrDef     uid,User-Name,reply
> </AuthBy>
>
> <AuthBy FILE>
>      Identifier  AuthFILE
>      Filename %D/users
>      EAPType TTLS,PEAP
>      EAPTLS_CAFile %D/certificates/cacert.pem
>      EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>      EAPTLS_CertificateType PEM
>      EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>      EAPTLS_PrivateKeyPassword mysecretpassword
>      #EAPTLS_RandomFile %D/certificates/random
>      EAPTLS_MaxFragmentSize 1000
>      #EAPTLS_DHFile %D/certificates/cert/dh
>      #EAPTLS_CRLCheck
>      #EAPTLS_CRLFile %D/certificates/crl.pem
>      #EAPTLS_CRLFile %D/certificates/revocations.pem
>      AutoMPPEKeys
>      SSLeayTrace 4
>      # EAPAnonymous anonymous at some.other.realm
>      EAPAnonymous %0
>      #EAPTLS_SessionResumption 0
>      #EAPTLS_SessionResumptionLimit 10
>      EAPTLS_PEAPVersion 0
>      #EAPTLS_PEAPBrokenV1Label
> </AuthBy>
>
> <Handler NAS-Identifier=CofaWide>
>          AuthBy  AuthFILE
> </Handler>
>
> <Handler TunnelledByTTLS=1>
>          AuthBy  CheckLDAP
> </Handler>
> ---------------
>
> On 12/10/2005, at 2:50 PM, Hugh Irvine wrote:
> > Hello Nigel -
> >
> > Yes your configuration is correct.
> >
> > Your only option with encrypted passwords in your user database is
> > TTLS-PAP.
> >
> > BTW - would you be agreeable to sending me a copy of your
> > configuration file (no details) so I can add it to the examples in
> > the "goodies" directory?
> >
> > We quite often get requests from people wanting to set up Radiator
> > in this  environment.
> >
> > thanks and regards
> >
> > Hugh
> >
> > On 11 Oct 2005, at 23:56, Nigel Kersten wrote:
> >> Hi there.
> >>
> >> I'm currently evaluating Radiator, and just wanted to make sure
> >> that I've got things working in the best possible manner.
> >>
> >> I've got Radiator working with my Airport Extreme base stations,
> >> and authenticating against Open Directory, which is Apple's
> >> directory service, and it essentially consists of OpenLDAP, SASL
> >> and Kerberos.
> >>
> >> I'm currently working using EAP/TTLS with PAP as the inner
> >> authentication.
> >>
> >> Is this my best option considering that I wish to authenticate
> >> against an LDAP directory that doesn't contain the actual password?
> >>
> >>
> >> --
> >> Nigel Kersten [Senior Technical Officer]
> >> College of Fine Arts, University of NSW, Australia.
> >> CRICOS Provider Code: 00098G
> >>
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/
> > archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Nigel Kersten [Senior Technical Officer]
> College of Fine Arts, University of NSW, Australia.
> CRICOS Provider Code: 00098G
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list