[RADIATOR] Issue replicating config

Chris Rosan Chris.Rosan at europcar.com.au
Sun Aug 10 17:17:04 CDT 2008 

Hugh,

It works on the existing server. It was doing a username re-write (I
think this is what's not working).

I think I may be missing some of the installation. Possibly a Perl
module, but I can't see what's causing it.

Chris Rosan
Systems Administrator
Europcar Australasia
157 Mickleham Rd
Tullamarine
VIC 3043
Australia
Ph:    +61 3 9330 6114
Fax:   +61 3 9335 7614
Mob:  +61 410 612 031
Email: chris.rosan at europcar.com.au


-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Wednesday, 30 July 2008 5:51 PM
To: Chris Rosan
Cc: radiator at open.com.au
Subject: Re: Issue replicating config


Hello Chris -

There is no realm suffix on the username that you are testing.

regards

Hugh


On 30 Jul 2008, at 12:44, Chris Rosan wrote:

> Dear list/Open folks,
> I'm trying to replicate the config of my Radiator server (3.17.1-1  
> on Redhat 4) for a cold DR server and I'm not having much luck.
> A previous staff member of mine set it up to do username re-writes  
> for new realms and to perform LDAP queries off our active directory  
> for these realms. This is the bit that I can't get working.
> The bits of the config file that apply are:
>
>
> # VPN realm check
>
> <Realm>
>         <AuthBy INTERNAL>
>                 DefaultResult REJECT
>                 AcctResult ACCEPT
>         </AuthBy>
> </Realm>
>
> #################
> #AD-LDAP section#
> #################
> # When authenticated with AuthByLDAP, the description
> # field in a handler correspsonds to the group CN in LDAP
>
> # The LDAP authentication
> <AuthBy LDAP2>
>         Identifier AuthByLDAP
>
>         #Debug 255
>
>         # LDAP bind
>         Host AD-DOMAIN-Controller
>         HoldServerConnection
>         Timeout 4
>     Port 3268
>         AuthDN cn=bind-user,cn=Users,dc=ad- 
> domain,dc=domain,dc=com,dc=au
>         AuthPassword bind-password
>
>         # The client authentication
>         ServerChecksPassword
>         UsernameAttr sAMAccountName
>         BaseDN ou=All Users, ad-domain,dc=domain,dc=com,dc=au
>         AuthAttrDef sAMAccountName,GENERIC,request
>         AuthAttrDef memberOf,GENERIC,request
>         PostSearchHook file:"%D/hooks/ldap_groups.pl"
> </AuthBy>
>
> VPN users
>
> <Handler NAS-IP-Address=192.168.0.1,Realm=ad.domain.com.au>
>         Description AU Remote Access - VPN
>         RewriteUsername s/\@ad\.domain\.com\.au//
>         AuthBy AuthByLDAP
> </Handler>
> Trace 4 output (doesn't talk at ALL about the AD Domain):
> Sun Jul 13 22:50:31 2008: DEBUG: Packet dump:
> *** Received from 192.168.0.1 port 1025 ....
> Code:       Access-Request
> Identifier: 7
> Authentic:  8<17>vw<228>M<2><19>PINo|<5>Z<139>
> Attributes:
>         User-Name = "chris rosan"
>         User-Password = 1[<20>~<240>D!<248><229>*<133>V<172><21>K<161>
>         NAS-IP-Address = 192.168.0.1
>         NAS-Port = 15
>         NAS-Port-Type = Virtual
>
> Sun Jul 13 22:50:31 2008: DEBUG: Handling request with Handler  
> 'Realm='
> Sun Jul 13 22:50:31 2008: DEBUG:  Deleting session for chris rosan,  
> 192.168.0.1, 15
> Sun Jul 13 22:50:31 2008: DEBUG: Handling with AuthINTERNAL:
> Sun Jul 13 22:50:31 2008: DEBUG: AuthBy INTERNAL result: REJECT,  
> Fixed by DefaultResult
> Sun Jul 13 22:50:31 2008: INFO: Access rejected for chris rosan:  
> Fixed by DefaultResult
> Sun Jul 13 22:50:31 2008: DEBUG: Packet dump:
> *** Sending to 192.168.0.1 port 1025 ....
> Code:       Access-Reject
> Identifier: 7
> Authentic:  8<17>vw<228>M<2><19>PINo|<5>Z<139>
> Attributes:
>         Reply-Message = "Request Denied"
>
> I LITERALLY copied the config files over from the "live" server and  
> started Radius (with other bits such as Perl modules for Mysql DB  
> etc). Everything else works except this.
> Can anyone make a suggestion on the cause?
> Cheers.
>
> Chris
>
>
>
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.
>
>
> This email was scanned for your safety and protection from
> virus's and offensive content.
> mailmarshal at europcar.com.au
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


########################################################################
#############
This email was scanned for your safety and protection from
viruses and offensive content. mailmarshal at europcar.com.au
########################################################################
#############
This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses.

More information about the radiator mailing list