(RADIATOR) Support for Microsoft groups with AuthBy LSA
romanjoh at msnotes.wustl.edu
romanjoh at msnotes.wustl.edu
Mon Aug 7 14:08:17 CDT 2006
Thanks for the patch. However, I have tested it out and I have still not
been able to authenticate using AuthBy LSA and groups. The problem (as I
understand it to be) is that the attempts to check if a user is a member of
a group always uses the username of anonymous. I have put in a bit of
debugging code and sniffed the connection between the RADIUS server and the
domain controllers and the evidence is consistent. Details below for those
interested.
The question then is how does one get the real username to pass to the
GroupIsMember call?
---
Evidence from the tests:
I made changes to two routines in AuthLSA.pm:
#####################################################################
# Check if the user is in the global group
sub userIsInGroup
{
my ($self, $user, $group) = @_;
require Win32::NetAdmin;
import Win32::NetAdmin;
my ($domain, $username) = $self->crack_name($user);
# Find the controller to use
my $controller = $self->{DomainController};
if (!defined $controller)
{
$controller = $self->{controllers}{$domain};
if (!defined $controller)
{
&Win32::NetAdmin::GetDomainController(undef, $domain,
$controller);
$self->{controllers}{$domain} = $controller;
}
}
---> $self->log($main::LOG_DEBUG, "Group: $group Controller $controller
User $user Username $username");
return &Win32::NetAdmin::GroupIsMember($controller, $group, $username)
|| &Win32::NetAdmin::LocalGroupIsMember($controller, $group,
$username);
}
#####################################################################
# We subclass this to do special checks: there are no check items
# except the password, and only if its not an EAP
sub checkUserAttributes
{
my ($self, $user, $p) = @_;
my $userName = $p->getUserName();
# Check for required group membership
if (defined $self->{Group})
{
my $ismember;
foreach (@{$self->{Group}})
{
$ismember++, last if $self->userIsInGroup($userName, $_);
}
--> return ($main::REJECT, "AuthBy LSA LUser $user $userName is not a
member of any Group")
unless $ismember;
}
# Short circuit authetication in EAP requests ?
return ($main::ACCEPT)
if $p->getAttrByNum($Radius::Radius::EAP_MESSAGE);
return ($main::ACCEPT) if $self->check_password($p,
$p->decodedPassword(), $userName);
return ($main::REJECT, 'AuthBy LSA Password check failed');
}
(the lines I changed/added are marked -->; the extra capital el is a slip
of the finger)
Here is the appropriate log snippets. The debug line in userIsInGroup
produce the lines that indicate the Groups (Administrators, Domain Users)
but the username is anonymous rather than romanjoh as needed.
Mon Aug 7 13:45:58 2006: DEBUG: Handling request with Handler ''
Mon Aug 7 13:45:58 2006: DEBUG: Deleting session for anonymous,
10.39.151.231, 877
Mon Aug 7 13:45:58 2006: DEBUG: Handling with Radius::AuthLSA:
Mon Aug 7 13:45:58 2006: DEBUG: Handling with EAP: code 2, 9, 71
Mon Aug 7 13:45:58 2006: DEBUG: Response type 26
Mon Aug 7 13:45:58 2006: DEBUG: Radius::AuthLSA looks for match with
MEDPRIV\romanjoh [anonymous]
Mon Aug 7 13:45:58 2006: DEBUG: Group: Administrators Controller
\\MEDPRIVDC2 User anonymous Username anonymous
Mon Aug 7 13:45:58 2006: DEBUG: Group: Domain Users Controller
\\MEDPRIVDC2 User anonymous Username anonymous
Mon Aug 7 13:45:58 2006: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA LUser
Radius::User=HASH(0x1c48ba4) anonymous is not a member of any Group:
MEDPRIV\romanjoh [anonymous]
Mon Aug 7 13:45:58 2006: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
such user MEDPRIV\romanjoh
Mon Aug 7 13:45:58 2006: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2
failed: no such user MEDPRIV\romanjoh
Mon Aug 7 13:45:58 2006: INFO: Access rejected for anonymous: EAP MSCHAP
V2 failed: no such user MEDPRIV\romanjoh
Mon Aug 7 13:45:58 2006: DEBUG: Returned PEAP tunnelled packet dump:
Here is the complete config file (renamed to radius.cfg, since we are
installed and running as a Windows service)
# lsa_eap_multi.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# PAP, EAP-TTLS and EAP-PEAP authentication as used by Windows XP
# (starting with SP1) using AuthBy LSA and Microsoft Active Directory.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate Wireless PEAP users from a Windows LSA,
which
# permits authentication against any Windows Active Directory Domain
# or NT Domain.
# It will accept requests from any client and try to handle request
# for any realm.
# To use this LSA, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security
policy
# enabled.
# Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP (not
Home edition).
#
# To use this example, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security
policy
# enabled. This is not possible with Windows XP Home edition.
#
# Requires the Win32-Lsa perl module from Open System Consultants.
# Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1 like
this:
# ppm install
http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
#
# Users will only be authenticated if they have the 'Access this computer
from the network'
# security policy enabled. Their other account restrictions will also be
checked
# CHAP passwords can only be authenticated if the user has their
# 'Store password using reversible encryption' option enabled in their
Account
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires openssl and Net_SSLeay.
#
# You should consider this file to be a starting point only
# $Id: lsa_eap_multi.cfg,v 1.2 2006/01/16 00:07:32 mikem Exp $
LogDir c:\Program Files\Radiator
DbDir c:\Program Files\Radiator
AuthPort 1812
AcctPort 1813
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret xxxxxxxx
DupInterval 0
</Client>
# This clause handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
# handles the outer and inner requests for TTSL and PEAP. You can use
# it to authenticate almost anything against Microsoft Active Directory
<Handler>
<AuthBy LSA>
# Specifies which Windows Domain is ALWAYS to be used to
authenticate
# users (even if they specify a different domain in their
username).
# Empty string means the local machine only
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
#Domain OPEN
# Specifies the Windows Domain to use if the user does not
# specify a doain domain in their username.
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
#DefaultDomain OPEN
# You can check whether each user is the member of a windows
group
# with the Group parameter. If more than one Group is
specified, then the
# user must be a member of at least one of them. Requires
Win32::NetAdmin
# (which is installed by default with ActivePerl). If no Group
# parameters are specified, then Group checks will not be
performed.
Group Administrators
Group Domain Users
# You can specify which domain controller will be used to check
group
# membership with the DomainController parameter. If no Group
parameters
# are specified, DomainController wil not be used. Defaults to
# empty string, meaning the default controller of the host
where this
# instance of Radaitor is running.
#DomainController zulu
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType PEAP, TTLS, MSCHAP-V2
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even smaller
sizes.
EAPTLS_MaxFragmentSize 1000
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a
certificate
# then Radiator will look for a certificate revocation list
(CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found,
or
# if the CRL says the certificate has neen revoked, the
authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile
parameter.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may require
you to specify
# MPPE send and receive keys. This _will_ be required if you
select
# 'Keys will be generated automatically for data privacy' in
the Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
# You can configure the User-Name that will be used for the
inner
# authentication. Defaults to 'anonymous'. This can be useful
# when proxying the inner authentication. If tehre is a realm,
it can
# be used to choose a local Realm to handle the inner
authentication.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous at some.other.realm
# You can enable or disable support for TTLS Session Resumption
and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a
session can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds).
Defaults to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
EAPTLS_PEAPVersion 1
EAPTLS_PEAPBrokenV1Label
</AuthBy>
</Handler>
Hugh Irvine
<hugh at open.com.au
> To
Sent by: romanjoh at msnotes.wustl.edu
owner-radiator at op cc
en.com.au radiator at open.com.au
Subject
Re: (RADIATOR) Support for
08/02/2006 06:28 Microsoft groups with AuthBy LSA
PM
Hello John -
We have just added some addtional group checking in AuthBy LSA -
perhaps you could test it for us?
The patches are available in the Radiator 3.15 patch set.
thanks and regards
Hugh
On 2 Aug 2006, at 23:25, romanjoh at msnotes.wustl.edu wrote:
> Here is a link that explains the three types of group:
>
> http://technet2.microsoft.com/WindowsServer/en/library/79d93e46-
> ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
>
> The highlights: "There are three group scopes: universal, global,
> and domain local.
>
> Members of universal groups can include other groups and accounts
> from any domain in the domain tree or forest and can be assigned
> permissions in any domain in the domain tree or forest.
>
> Members of global groups can include other groups and accounts only
> from the domain in which the group is defined and can be assigned
> permissions in any domain in the forest.
>
> Members of domain local groups can include other groups and
> accounts from Windows Server 2003, Windows 2000, or Windows NT
> domains and can be assigned permissions only within a domain."
>
>
> Here is another link:
> http://www.samspublishing.com/articles/article.asp?
> p=98126&seqNum=2&rl=1
>
> Our need is to permit wireless access to members of a group. The
> group is in one domain (the forest root domain) and the users are
> in subdomains in that forest. This requires the use of universal
> groups rather than global groups. I have just exhausted my
> understanding of things Microsoft since I come from the networking
> side, but if you have more questions let me know. I do wonder what
> is the difference between global and universal groups that they are
> treated differently in the system call below.
>
> Many thanks,
>
> john
>
> <graycol.gif>
> Hugh Irvine <hugh at open.com.au>
>
>
> Hugh Irvine <hugh at open.com.au>
> 08/02/2006 03:41 AM
>
> <ecblank.gif>
>
> To
> <ecblank.gif>
>
> romanjoh at msnotes.wustl.edu
> <ecblank.gif>
>
> cc
> <ecblank.gif>
>
> radiator at open.com.au
> <ecblank.gif>
>
> Subject
> <ecblank.gif>
>
> Re: (RADIATOR) Support for Microsoft groups with AuthBy LSA
> <ecblank.gif>
> <ecblank.gif>
>
>
> Hello John -
>
> At the moment Radiator only supports Global groups - but can you
> point us to some description of Universal groups?
>
> regards
>
> Hugh
>
>
> On 2 Aug 2006, at 02:42, romanjoh at msnotes.wustl.edu wrote:
>
> > We are evaluating Radiator to replace another Radius server, and
> > our need is to be able to authenticate users by Microsoft groups.
> > Specifically, we need support for universal groups.Three types of
> > Microsoft groups: Domain Local Groups, Global Groups, and Universal
> > Groups.
> >
> > The documentation indicates in 5.51.7 that "Only Global groups are
> > supported" for Groups in AuthBy LSA. The Perl code is:
> > Win32::NetAdmin::GroupIsMember($controller, $group, $username) in
> > AuthLSA.pm. I have not been able to tell from the ActiveState/
> > Win32::NetAdmin documentation which types of groups are supported.
> >
> > Does this mean (as it appears) that Universal Groups are not
> > supported? Does anyone have any experience or knowledge?
> >
> >
> > John Roman
> >
> > jroman at wustl.edu
> > Manager, Network Services
> > Washington University
> > Box 8132
> > 660 S Euclid Avenue
> > Saint Louis, MO 63110
> > 314-362-7334
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060807/791f1d6a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060807/791f1d6a/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic13931.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060807/791f1d6a/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060807/791f1d6a/attachment-0002.gif>
More information about the radiator
mailing list