(RADIATOR) How to tell if <authby LDAP_APS> is working?

Matt Richard matt.richard at fandm.edu
Thu Jun 5 14:17:10 CDT 2008 

Hi, Warren,

I started using LDAP_APS last year and it's working nicely for me so 
far.  Thank you for LDAP_APS!

One caveat is that the users need to have Open Directory passwords - 
this won't work with crypt passwords.

What wireless product are you using, and what is the authentication 
scheme you are using?  Your config looks a little light if you are doing 
WPA Enterprise or something like that.

You probably won't want an authDN and an authpassword entry because you 
are testing the user's credentials with an LDAP bind.  authDN and 
authpassword are in case you need to authenticate with a system account 
to look up the credentials.  This won't work because user credentials 
are stored in a back-end database that isn't acccessable from OSX's LDAP 
interface.  This also isn't necessary since (by default) OD allows 
unauthenticated access to most of the user attributes.

I also have a NoDefault option specified.  It's left over from a 
previous LDAP2 config and I'm not sure if it still applies.  It stops 
LDAP2 from connecting with uid=DEFAULT for some reason I forgot a long 
time ago.

Best,

Matt

Warren Bishop wrote:
> I am pretty new to all this stuff so if this is a stupid question I am
> sorry. I really need to know how to tell if this is checking my Apple OD.
> What my final goal is to have all of our Colubris equipment point to the
> radius server for authentication. So all our OD users can use their current
> credentials to log onto the wireless. I have changed admin account names and
> password for obvious reasons. But is this correct for using Apple OD to
> authenticate? And how do I test that it is working?
>
> Thanks for any and all help, Warren
>
>
>
>
> # radius.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # a simple system. You can then add and change features.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration as required.
> #
> # This example will authenticate from a standard users file in
> # DbDir/users and log accounting to LogDir/detail.
> #
> # It will accept requests from any client and try to handle request
> # for any realm.
> #
> # You should consider this file to be a starting point only
> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>
> #Foreground
> #LogStdout
> LogDir        /var/log/radius
> DbDir        /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace         3
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
>     Secret    mysecret
>     DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>     <AuthBy LDAP_APS>
>         Host        radiustest
>
>         AuthDN        uid=diradmin,cn=users,dc=radiustest,dc=sd5,dc=bc,dc=ca
>         Authpassword    secret
>
>         BaseDN        dc=radiustest,dc=sd5,dc=bc,dc=ca
>
>         UsernameAttr    uid
>
>         PasswordAttr    authAuthority
>
>         HoldServerConnection
>
>         Version 3
>
>         EAPType TTLS, MSCHAP-V2
>             
>     </AuthBy>
>
>     # Log accounting to a detail file
>     AcctLogFileName    %L/detail
> </Realm>
>
> <ServerHTTP>
>
>     Port 9048
>
>     Trace 4
>
>     Username admin
>
>     Password secret
>
>     #Privilege Levels:
>     # 0 means no access, inccluding no login permission.
>     # 1 means viewing basic status only
>     # 2 means ability to reset the server
>     # 4 mean the ability to edit and change the running config (but not
>     #   save it)
>     # 8 means the ability to save changes to the config
>     # 15 means all privileges
>     #   Defaults to 1
>     
>     DefaultPrivilegeLevel 15
>     
>     # Clients let you limit which clients you will accept connections from
>     # You can specify one or more comma or space separated IP's
>     # Using this adds security.
>     # Clients 127.0.0.1, ?.?.?.?
>     
>     Clients 127.0.0.1
>
>     # AuditTrail logs all changes and editing operations.
>
>     AuditTrail  %D/audit.txt
>
>     # Log file to log users that log into the HTTP interface.
>     
>     <AuthLog FILE>
>         Filename %L/authlog
>     </AuthLog>
>
> </ServerHTTP>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>   


-- 
Matt Richard '08
Access and Security Coordinator
Computing Services
Franklin & Marshall College
matt.richard at fandm.edu
(717) 291-4157

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list