[RADIATOR] Issue replicating config

Hugh Irvine hugh at open.com.au
Wed Jul 30 02:51:08 CDT 2008 

Hello Chris -

There is no realm suffix on the username that you are testing.

regards

Hugh


On 30 Jul 2008, at 12:44, Chris Rosan wrote:

> Dear list/Open folks,
> I’m trying to replicate the config of my Radiator server (3.17.1-1  
> on Redhat 4) for a cold DR server and I’m not having much luck.
> A previous staff member of mine set it up to do username re-writes  
> for new realms and to perform LDAP queries off our active directory  
> for these realms. This is the bit that I can’t get working.
> The bits of the config file that apply are:
>
>
> # VPN realm check
>
> <Realm>
>         <AuthBy INTERNAL>
>                 DefaultResult REJECT
>                 AcctResult ACCEPT
>         </AuthBy>
> </Realm>
>
> #################
> #AD-LDAP section#
> #################
> # When authenticated with AuthByLDAP, the description
> # field in a handler correspsonds to the group CN in LDAP
>
> # The LDAP authentication
> <AuthBy LDAP2>
>         Identifier AuthByLDAP
>
>         #Debug 255
>
>         # LDAP bind
>         Host AD-DOMAIN-Controller
>         HoldServerConnection
>         Timeout 4
>     Port 3268
>         AuthDN cn=bind-user,cn=Users,dc=ad- 
> domain,dc=domain,dc=com,dc=au
>         AuthPassword bind-password
>
>         # The client authentication
>         ServerChecksPassword
>         UsernameAttr sAMAccountName
>         BaseDN ou=All Users, ad-domain,dc=domain,dc=com,dc=au
>         AuthAttrDef sAMAccountName,GENERIC,request
>         AuthAttrDef memberOf,GENERIC,request
>         PostSearchHook file:"%D/hooks/ldap_groups.pl"
> </AuthBy>
>
> VPN users
>
> <Handler NAS-IP-Address=192.168.0.1,Realm=ad.domain.com.au>
>         Description AU Remote Access - VPN
>         RewriteUsername s/\@ad\.domain\.com\.au//
>         AuthBy AuthByLDAP
> </Handler>
> Trace 4 output (doesn’t talk at ALL about the AD Domain):
> Sun Jul 13 22:50:31 2008: DEBUG: Packet dump:
> *** Received from 192.168.0.1 port 1025 ....
> Code:       Access-Request
> Identifier: 7
> Authentic:  8<17>vw<228>M<2><19>PINo|<5>Z<139>
> Attributes:
>         User-Name = "chris rosan"
>         User-Password = 1[<20>~<240>D!<248><229>*<133>V<172><21>K<161>
>         NAS-IP-Address = 192.168.0.1
>         NAS-Port = 15
>         NAS-Port-Type = Virtual
>
> Sun Jul 13 22:50:31 2008: DEBUG: Handling request with Handler  
> 'Realm='
> Sun Jul 13 22:50:31 2008: DEBUG:  Deleting session for chris rosan,  
> 192.168.0.1, 15
> Sun Jul 13 22:50:31 2008: DEBUG: Handling with AuthINTERNAL:
> Sun Jul 13 22:50:31 2008: DEBUG: AuthBy INTERNAL result: REJECT,  
> Fixed by DefaultResult
> Sun Jul 13 22:50:31 2008: INFO: Access rejected for chris rosan:  
> Fixed by DefaultResult
> Sun Jul 13 22:50:31 2008: DEBUG: Packet dump:
> *** Sending to 192.168.0.1 port 1025 ....
> Code:       Access-Reject
> Identifier: 7
> Authentic:  8<17>vw<228>M<2><19>PINo|<5>Z<139>
> Attributes:
>         Reply-Message = "Request Denied"
>
> I LITERALLY copied the config files over from the “live” server and  
> started Radius (with other bits such as Perl modules for Mysql DB  
> etc). Everything else works except this.
> Can anyone make a suggestion on the cause?
> Cheers.
>
> Chris
>
>
>
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.
>
>
> This email was scanned for your safety and protection from
> virus's and offensive content.
> mailmarshal at europcar.com.au
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list