(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment

Hugh Irvine hugh at open.com.au
Tue Sep 27 21:49:21 CDT 2005 

Hello Virgil -

You will find numerous examples in the file "goodies/hooks.txt" in  
the Radiator 3.13 distribution.

regards

Hugh


On 28 Sep 2005, at 12:41, Virgil wrote:

> On 14/9/05 9:37 PM, "Mike McCauley" <mikem at open.com.au> wrote:
>
> Mike, and others,
>
>
>>> Will AuthBy LSA work with userPrincipcalName ?
>>>
>>
>> AuthBy LSA uses the Windows LogonUserNetworkMSCHAP function, which  
>> will
>> authenticate the user in the same way as a standard Windows user  
>> logon. You
>> may need to rewrite the user name into DOMAIN\user format?
>>
>
>
> My problem is that the "user" part of "DOMAIN\user" has no  
> correlation to
> the "user" part of "user at domain.name", except in the LDAP tree.   
> The current
> plan is to use a PreAuthHook to convert a supplied user at domain.name
> User-Name into a NT4/LSA username via an LDAP lookup.
>
> Can anyone give me some help with the PreAuthHook code?
>
> <AuthBy LDAP2>
>     Identifier              LDAP-PEAP
>     EAPType                 PEAP
>     EAPAnonymous            %0
>
>     ...
>     ServerChecksPassword
>     UsernameAttr            userPrincipalName
>     AuthAttrDef     extensionAttribute13,Tunnel-Private-Group-ID,reply
>     ...
>
> </AuthBy>
>
>
> <Handler TunnelledByPEAP=1>
> # PEAP inner request
>     <AuthBy LSA>
>         EAPType             MSCHAP-V2
>         Domain              DOMAINNAME # "NT4" domain name for AD
>
>         #LDAP lookup to select sAMAccountName
>         #that matches userPrincipalName for supplied "User-Name"
>         PreAuthHook         %D/upn2sam.pl
>
>         #LDAP lookup to select extensionAttribute13
>         #that matches userPrincipalName for supplied "User-Name"
>         PostAuthHook        %D/ldapvlan.pl
>
>     </AuthBy>
> </Handler>
>
> <Handler NAS-Port-Type=Ethernet, Service-Type=Framed-User>
> #dot1x auth on switches
>     AuthBy                  LDAP-PEAP
>
>     AddToReplyIfNotExist    Tunnel-Type = VLAN,\
>                             Tunnel-Medium-Type = Ether_802
>
>     RejectHasReason
>     AcctLogFileName         %L/detail
> </Handler>
>
>
>
> Regards
> Virgil
>
> -- 
> virgil at webcentral.com.au
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list