(RADIATOR) Support for Microsoft groups with AuthBy LSA

Hugh Irvine hugh at open.com.au
Mon Aug 7 16:59:22 CDT 2006


Hello John -

You will need to use two Handlers to split up the processing into the  
"outer" and "inner" component parts.

Something like this:



LogDir	c:\Program Files\Radiator
DbDir	c:\Program Files\Radiator

AuthPort	1812
AcctPort	1813

# User a lower trace level in production systems:
Trace 4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret	xxxxxxxx
DupInterval 0
</Client>

# This clause handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
# handles the outer and inner requests for TTSL and PEAP. You can use
# it to authenticate almost anything against Microsoft Active Directory

# process "inner" request

<Handler TunnelledByPEAP = 1>
	<AuthBy LSA>
		# Specifies which Windows Domain is ALWAYS to be used to authenticate
		# users (even if they specify a different domain in their username).
		# Empty string means the local machine only
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller
		# domain name
		# Empty string (the default) means the local machine
		#Domain OPEN

		# Specifies the Windows Domain to use if the user does not
		# specify a doain domain in their username.
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller
		# domain name
		# Empty string (the default) means the local machine
		#DefaultDomain OPEN

		# You can check whether each user is the member of a windows group
		# with the Group parameter. If more than one Group is specified,  
then the
		# user must be a member of at least one of them. Requires  
Win32::NetAdmin
		# (which is installed by default with ActivePerl). If no Group
		# parameters are specified, then Group checks will not be performed.
		Group Administrators
		Group Domain Users
	
		# You can specify which domain controller will be used to check group
		# membership with the DomainController parameter. If no Group  
parameters
		# are specified, DomainController wil not be used. Defaults to
		# empty string, meaning the default controller of the host where this
		# instance of Radaitor is running.
		#DomainController zulu
	</AuthBy>
</Handler>

# process "outer" requests

<Handler>
	<AuthBy FILE>
		# this file only needs "anonymous"
		Filename %D/users.anonymous

		# EAPType sets the EAP type(s) that Radiator will honour.
		# Options are: MD5-Challenge, One-Time-Password
		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
		# Multiple types can be comma separated. With the default (most
		# preferred) type given first
		EAPType PEAP, TTLS, MSCHAP-V2

		# EAPTLS_CAFile is the name of a file of CA certificates
		# in PEM format. The file can contain several CA certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

		# EAPTLS_CAPath is the name of a directory containing CA
		# certificates in PEM format. The files each contain one
		# CA certificate. The files are looked up by the CA
		# subject name hash value
		#	EAPTLS_CAPath

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		EAPTLS_CertificateType PEM
	
		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile)
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever

		# EAPTLS_RandomFile is an optional file containing
		# randdomness
		#	EAPTLS_RandomFile %D/certificates/random

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than 4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even smaller sizes.
		EAPTLS_MaxFragmentSize 1000

		# EAPTLS_DHFile if set specifies the DH group file. It
		# may be required if you need to use ephemeral DH keys.
		#	EAPTLS_DHFile %D/certificates/cert/dh


		# If EAPTLS_CRLCheck is set and the client presents a certificate
		# then Radiator will look for a certificate revocation list (CRL)
		# for the certificate issuer
		# when authenticating each client. If a CRL file is not found, or
		# if the CRL says the certificate has neen revoked, the  
authentication will
		# fail with an error:
		# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
		# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
		# Alternatively, CRLs may follow a file naming convention:
		# the hash of the issuer subject name
		# and a suffix that depends on the serial number.
		# eg ab1331b2.r0, ab1331b2.r1 etc.
		# You can find out the hash of the issuer name in a CRL with
		# openssl crl -in crl.pem -hash -noout
		# CRLs with tis name convention
		# will be searched in EAPTLS_CAPath, else in the openssl
		# certificates directory typically /usr/local/openssl/certs/
		# CRLs are expected to be in PEM format.
		# A CRL files can be generated with openssl like this:
		# openssl ca -gencrl -revoke cert-clt.pem
		# openssl ca -gencrl -out crl.pem
		# Use of these flags requires Net_SSLeay-1.21 or later
		#EAPTLS_CRLCheck
		#EAPTLS_CRLFile %D/certificates/crl.pem
		#EAPTLS_CRLFile %D/certificates/revocations.pem

		# Some clients, depending on their configuration, may require you  
to specify
		# MPPE send and receive keys. This _will_ be required if you select
		# 'Keys will be generated automatically for data privacy' in the  
Funk Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can enable some warning messages from the Net::SSLeay
		# module by setting SSLeayTrace to an integer from 1 to 4
		# 1=ciphers, 2=trace, 3=dump data
		SSLeayTrace 4

		# You can configure the User-Name that will be used for the inner
		# authentication. Defaults to 'anonymous'. This can be useful
		# when proxying the inner authentication. If tehre is a realm, it can
		# be used to choose a local Realm to handle the inner authentication.
		# %0 is replaced with the EAP identitiy
		EAPAnonymous %0

		# You can enable or disable support for TTLS Session Resumption and
		# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
		# Default is enabled
		#EAPTLS_SessionResumption 0

		# You can limit how long after the initial session that a session  
can be resumed
		# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to  
43200
		# (12 hours)
		#EAPTLS_SessionResumptionLimit 10
		EAPTLS_PEAPVersion 1
		EAPTLS_PEAPBrokenV1Label
	</AuthBy>
</Handler>


Note the use of "EAPAnonymous %0"  in the AuthBy FILE above.

The "users.anonymous"  file above just needs something like this:


# users.anonymous

anonymous  Password = this.will.never.match.any.password


hope that helps

regards

Hugh


On 8 Aug 2006, at 05:08, romanjoh at msnotes.wustl.edu wrote:

> Thanks for the patch. However, I have tested it out and I have  
> still not been able to authenticate using AuthBy LSA and groups.  
> The problem (as I understand it to be) is that the attempts to  
> check if a user is a member of a group always uses the username of  
> anonymous. I have put in a bit of debugging code and sniffed the  
> connection between the RADIUS server and the domain controllers and  
> the evidence is consistent. Details below for those interested.
>
> The question then is how does one get the real username to pass to  
> the GroupIsMember call?
>
> ---
> Evidence from the tests:
>
> I made changes to two routines in AuthLSA.pm:
>
> #####################################################################
> # Check if the user is in the global group
> sub userIsInGroup
> {
> my ($self, $user, $group) = @_;
>
> require Win32::NetAdmin;
> import Win32::NetAdmin;
>
> my ($domain, $username) = $self->crack_name($user);
> # Find the controller to use
> my $controller = $self->{DomainController};
> if (!defined $controller)
> {
> $controller = $self->{controllers}{$domain};
> if (!defined $controller)
> {
> &Win32::NetAdmin::GetDomainController(undef, $domain, $controller);
> $self->{controllers}{$domain} = $controller;
> }
> }
> ---> $self->log($main::LOG_DEBUG, "Group: $group Controller  
> $controller User $user Username $username");
> return &Win32::NetAdmin::GroupIsMember($controller, $group, $username)
> || &Win32::NetAdmin::LocalGroupIsMember($controller, $group,  
> $username);
> }
>
> #####################################################################
> # We subclass this to do special checks: there are no check items
> # except the password, and only if its not an EAP
> sub checkUserAttributes
> {
> my ($self, $user, $p) = @_;
>
> my $userName = $p->getUserName();
>
> # Check for required group membership
> if (defined $self->{Group})
> {
> my $ismember;
> foreach (@{$self->{Group}})
> {
> $ismember++, last if $self->userIsInGroup($userName, $_);
> }
> --> return ($main::REJECT, "AuthBy LSA LUser $user $userName is not  
> a member of any Group")
> unless $ismember;
> }
>
> # Short circuit authetication in EAP requests ?
> return ($main::ACCEPT)
> if $p->getAttrByNum($Radius::Radius::EAP_MESSAGE);
>
> return ($main::ACCEPT) if $self->check_password($p, $p- 
> >decodedPassword(), $userName);
> return ($main::REJECT, 'AuthBy LSA Password check failed');
> }
>
> (the lines I changed/added are marked -->; the extra capital el is  
> a slip of the finger)
>
> Here is the appropriate log snippets. The debug line in  
> userIsInGroup produce the lines that indicate the Groups  
> (Administrators, Domain Users) but the username is anonymous rather  
> than romanjoh as needed.
>
> Mon Aug 7 13:45:58 2006: DEBUG: Handling request with Handler ''
> Mon Aug 7 13:45:58 2006: DEBUG: Deleting session for anonymous,  
> 10.39.151.231, 877
> Mon Aug 7 13:45:58 2006: DEBUG: Handling with Radius::AuthLSA:
> Mon Aug 7 13:45:58 2006: DEBUG: Handling with EAP: code 2, 9, 71
> Mon Aug 7 13:45:58 2006: DEBUG: Response type 26
> Mon Aug 7 13:45:58 2006: DEBUG: Radius::AuthLSA looks for match  
> with MEDPRIV\romanjoh [anonymous]
> Mon Aug 7 13:45:58 2006: DEBUG: Group: Administrators Controller \ 
> \MEDPRIVDC2 User anonymous Username anonymous
> Mon Aug 7 13:45:58 2006: DEBUG: Group: Domain Users Controller \ 
> \MEDPRIVDC2 User anonymous Username anonymous
> Mon Aug 7 13:45:58 2006: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA  
> LUser Radius::User=HASH(0x1c48ba4) anonymous is not a member of any  
> Group: MEDPRIV\romanjoh [anonymous]
> Mon Aug 7 13:45:58 2006: DEBUG: EAP result: 1, EAP MSCHAP V2  
> failed: no such user MEDPRIV\romanjoh
> Mon Aug 7 13:45:58 2006: DEBUG: AuthBy LSA result: REJECT, EAP  
> MSCHAP V2 failed: no such user MEDPRIV\romanjoh
> Mon Aug 7 13:45:58 2006: INFO: Access rejected for anonymous: EAP  
> MSCHAP V2 failed: no such user MEDPRIV\romanjoh
> Mon Aug 7 13:45:58 2006: DEBUG: Returned PEAP tunnelled packet dump:
>
> Here is the complete config file (renamed to radius.cfg, since we  
> are installed and running as a Windows service)
>
> # lsa_eap_multi.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PAP, EAP-TTLS and EAP-PEAP authentication as used by Windows XP
> # (starting with SP1) using AuthBy LSA and Microsoft Active Directory.
> #
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate Wireless PEAP users from a Windows  
> LSA, which
> # permits authentication against any Windows Active Directory Domain
> # or NT Domain.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # To use this LSA, Radiator must be run on Windows as Administrator,
> # or as a user that has the 'Act as part of the operating system'  
> security policy
> # enabled.
> # Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP  
> (not Home edition).
> #
> # To use this example, Radiator must be run on Windows as  
> Administrator,
> # or as a user that has the 'Act as part of the operating system'  
> security policy
> # enabled. This is not possible with Windows XP Home edition.
> #
> # Requires the Win32-Lsa perl module from Open System Consultants.
> # Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1  
> like this:
> # ppm install http://www.open.com.au/radiator/free-downloads/Win32- 
> Lsa.ppd
> #
> # Users will only be authenticated if they have the 'Access this  
> computer from the network'
> # security policy enabled. Their other account restrictions will  
> also be checked
> # CHAP passwords can only be authenticated if the user has their
> # 'Store password using reversible encryption' option enabled in  
> their Account
> #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires openssl and Net_SSLeay.
> #
> # You should consider this file to be a starting point only
> # $Id: lsa_eap_multi.cfg,v 1.2 2006/01/16 00:07:32 mikem Exp $
>
> LogDir	 c:\Program Files\Radiator
> DbDir	 c:\Program Files\Radiator
> AuthPort	1812
> AcctPort	1813
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret	xxxxxxxx
> DupInterval 0
> </Client>
>
> # This clause handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
> # handles the outer and inner requests for TTSL and PEAP. You can use
> # it to authenticate almost anything against Microsoft Active  
> Directory
> <Handler>
> <AuthBy LSA>
> # Specifies which Windows Domain is ALWAYS to be used to authenticate
> # users (even if they specify a different domain in their username).
> # Empty string means the local machine only
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #Domain OPEN
>
> # Specifies the Windows Domain to use if the user does not
> # specify a doain domain in their username.
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #DefaultDomain OPEN
>
> # You can check whether each user is the member of a windows group
> # with the Group parameter. If more than one Group is specified,  
> then the
> # user must be a member of at least one of them. Requires  
> Win32::NetAdmin
> # (which is installed by default with ActivePerl). If no Group
> # parameters are specified, then Group checks will not be performed.
> Group Administrators
> Group Domain Users
>
> # You can specify which domain controller will be used to check group
> # membership with the DomainController parameter. If no Group  
> parameters
> # are specified, DomainController wil not be used. Defaults to
> # empty string, meaning the default controller of the host where this
> # instance of Radaitor is running.
> #DomainController zulu
>
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default (most
> # preferred) type given first
> EAPType PEAP, TTLS, MSCHAP-V2
>
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> #	 EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> #	 EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> #	 EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a certificate
> # then Radiator will look for a certificate revocation list (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not found, or
> # if the CRL says the certificate has neen revoked, the  
> authentication will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile parameter.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may require you  
> to specify
> # MPPE send and receive keys. This _will_ be required if you select
> # 'Keys will be generated automatically for data privacy' in the  
> Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the inner
> # authentication. Defaults to 'anonymous'. This can be useful
> # when proxying the inner authentication. If tehre is a realm, it can
> # be used to choose a local Realm to handle the inner authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a session  
> can be resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to  
> 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
> </Handler>
>
> <graycol.gif>
> Hugh Irvine <hugh at open.com.au>
>
>
> Hugh Irvine <hugh at open.com.au>
> Sent by: owner-radiator at open.com.au
> 08/02/2006 06:28 PM
>
> <ecblank.gif>
>
> To
> <ecblank.gif>
>
> romanjoh at msnotes.wustl.edu
> <ecblank.gif>
>
> cc
> <ecblank.gif>
>
> radiator at open.com.au
> <ecblank.gif>
>
> Subject
> <ecblank.gif>
>
> Re: (RADIATOR) Support for Microsoft groups with AuthBy LSA
> <ecblank.gif>
> <ecblank.gif>
>
>
> Hello John -
>
> We have just added some addtional group checking in AuthBy LSA -
> perhaps you could test it for us?
>
> The patches are available in the Radiator 3.15 patch set.
>
> thanks and regards
>
> Hugh
>
>
> On 2 Aug 2006, at 23:25, romanjoh at msnotes.wustl.edu wrote:
>
> > Here is a link that explains the three types of group:
> >
> > http://technet2.microsoft.com/WindowsServer/en/library/79d93e46-
> > ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
> >
> > The highlights: "There are three group scopes: universal, global,
> > and domain local.
> >
> > Members of universal groups can include other groups and accounts
> > from any domain in the domain tree or forest and can be assigned
> > permissions in any domain in the domain tree or forest.
> >
> > Members of global groups can include other groups and accounts only
> > from the domain in which the group is defined and can be assigned
> > permissions in any domain in the forest.
> >
> > Members of domain local groups can include other groups and
> > accounts from Windows Server 2003, Windows 2000, or Windows NT
> > domains and can be assigned permissions only within a domain."
> >
> >
> > Here is another link:
> > http://www.samspublishing.com/articles/article.asp?
> > p=98126&seqNum=2&rl=1
> >
> > Our need is to permit wireless access to members of a group. The
> > group is in one domain (the forest root domain) and the users are
> > in subdomains in that forest. This requires the use of universal
> > groups rather than global groups. I have just exhausted my
> > understanding of things Microsoft since I come from the networking
> > side, but if you have more questions let me know. I do wonder what
> > is the difference between global and universal groups that they are
> > treated differently in the system call below.
> >
> > Many thanks,
> >
> > john
> >
> > <graycol.gif>
> > Hugh Irvine <hugh at open.com.au>
> >
> >
> > Hugh Irvine <hugh at open.com.au>
> > 08/02/2006 03:41 AM
> >
> > <ecblank.gif>
> >
> > To
> > <ecblank.gif>
> >
> > romanjoh at msnotes.wustl.edu
> > <ecblank.gif>
> >
> > cc
> > <ecblank.gif>
> >
> > radiator at open.com.au
> > <ecblank.gif>
> >
> > Subject
> > <ecblank.gif>
> >
> > Re: (RADIATOR) Support for Microsoft groups with AuthBy LSA
> > <ecblank.gif>
> > <ecblank.gif>
> >
> >
> > Hello John -
> >
> > At the moment Radiator only supports Global groups - but can you
> > point us to some description of Universal groups?
> >
> > regards
> >
> > Hugh
> >
> >
> > On 2 Aug 2006, at 02:42, romanjoh at msnotes.wustl.edu wrote:
> >
> > > We are evaluating Radiator to replace another Radius server, and
> > > our need is to be able to authenticate users by Microsoft groups.
> > > Specifically, we need support for universal groups.Three types of
> > > Microsoft groups: Domain Local Groups, Global Groups, and  
> Universal
> > > Groups.
> > >
> > > The documentation indicates in 5.51.7 that "Only Global groups are
> > > supported" for Groups in AuthBy LSA. The Perl code is:
> > > Win32::NetAdmin::GroupIsMember($controller, $group, $username) in
> > > AuthLSA.pm. I have not been able to tell from the ActiveState/
> > > Win32::NetAdmin documentation which types of groups are supported.
> > >
> > > Does this mean (as it appears) that Universal Groups are not
> > > supported? Does anyone have any experience or knowledge?
> > >
> > >
> > > John Roman
> > >
> > > jroman at wustl.edu
> > > Manager, Network Services
> > > Washington University
> > > Box 8132
> > > 660 S Euclid Avenue
> > > Saint Louis, MO 63110
> > > 314-362-7334
> >
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/ 
> archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database  
> independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like  
> systems.
> >
> >
> >
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list