(RADIATOR) LDAP2 servercheckpassword

Hugh Irvine hugh at open.com.au
Wed Jun 18 03:07:23 CDT 2008


Hello Barry -

Yes this can be a bit confusing, due to the fact that it is the bind  
that is returning an accept, not the password check.

Can you send me a more complete copy of your configuration file and a  
more complete trace 4 debug showing both a successful local  
authentication and a remote authentication.

You can also add "Debug 255" to your AuthBy LDAP2 clause to get more  
debugging when you run radiusd from the command line like this (using  
your local pathnames of course):

	cd /your/Radiator/source/distribution

	perl radiusd -foreground -log_stdout -trace 4 -config_file /your/ 
Radiator/configuration/file

	.....


regards

Hugh


On 18 Jun 2008, at 07:01, Barry Ard wrote:

> I am having problems getting eduroam working in oiur environment.  
> We use radiator to successfully authenticate local users using PEAP  
> and EAP-TTLS eap types. Our handlers authenticate against an ldap  
> directory server that store nthash passwords in the case of PEAP  
> and bind to ldap in the case of TTLS. This works locally.
>
> The TTLS handler looks like:
>
> <AuthBy LDAP2>
>    Identifier              LDAPAuthTTLS
>    Host                    directory.srv.ualberta.ca
>    BaseDN                  ou=people,dc=ualberta,dc=ca
>    HoldServerConnection
>    ServerChecksPassword
>    UsernameMatchesWithoutRealm yes
>    UseSSL
>    SSLVerify               require
>    SSLCAPath               /etc/ssl/certs
>
>    EAPType                 TTLS
>    EAPTLS_CAPath           /etc/ssl/certs
>    EAPTLS_CertificateType  PEM
>    EAPTLS_CertificateFile  /etc/ssl/public/%h.crt
>    EAPTLS_PrivateKeyFile   /etc/ssl/private/%h.key
>    EAPTLS_RandomFile       %D/random
>    EAPTLS_MaxFragmentSize  1024
>    EAPTTLS_NoAckRequired
>    AutoMPPEKeys
> </AuthBy>
>
>
> Now that I am trying to get eduroam working, remote clients, using  
> TTLS give this error in the log:
>
>
> Tue Jun 17 14:27:30 2008: DEBUG: EAP TTLS inner authentication  
> request for XXXXXXXX at ualberta.ca
> Tue Jun 17 14:27:30 2008: DEBUG: Handling request with Handler  
> 'TunnelledByTTLS=1, Realm=/ualberta\.ca/i'
> Tue Jun 17 14:27:30 2008: DEBUG:  Deleting session for  
> XXXXXXXX at ualberta.ca, 136.159.77.203,
> Tue Jun 17 14:27:30 2008: DEBUG: Handling with Radius::AuthLDAP2:  
> LDAPAuthTTLS
> Tue Jun 17 14:27:30 2008: INFO: Connecting to  
> directory.srv.ualberta.ca:636
> Tue Jun 17 14:27:30 2008: INFO: Attempting to bind to LDAP server  
> directory.srv.ualberta.ca:636
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got result for  
> uid=XXXXXXXX,ou=people,dc=ualberta,dc=ca
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got cn: XXXXXXXX
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got gidNumber: 99
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got givenName: XXXXXXXX
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got homeDirectory: /afs/ 
> ualberta.ca/home/a/p/XXXXXXXX
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got mail: XXXXXXXX at ualberta.ca
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got sn: XXXXXXXX
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got uid: XXXXXXXX
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got uidNumber: 33657
> Tue Jun 17 14:27:30 2008: DEBUG: LDAP got displayName: XXXXXXXX
> Tue Jun 17 14:27:30 2008: DEBUG: Radius::AuthLDAP2 looks for match  
> with XXXXXXXX [XXXXXXXX at ualberta.ca]
> Tue Jun 17 14:27:30 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad  
> Encrypted password: XXXXXXXX [XXXXXXXX at ualberta.ca]
> Tue Jun 17 14:27:30 2008: DEBUG: No entries for DEFAULT found in  
> LDAP database
> Tue Jun 17 14:27:30 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad  
> Encrypted password
> Tue Jun 17 14:27:30 2008: INFO: Access rejected for  
> XXXXXXXX at ualberta.ca: Bad Encrypted password
>
> I should note that PEAP isn't  working at this point either but I  
> thought if a handler specifies 'ServerCheckPassword' and the log  
> shows a successful bind then authentication is sucessful. What's  
> up  with:
> Radius::AuthLDAP2 looks for match with XXXXXXXX [XXXXXXXX at ualberta.ca]
> Radius::AuthLDAP2 REJECT: Bad Encrypted password: XXXXXXXX  
> [XXXXXXXX at ualberta.ca]
>
> -- 
> =================================================================
> Barry Ard                                   barry.ard at ualberta.ca
> Network Operations
> Academic Information and Communication Technologies (AICT)
> University of Alberta
> Edmonton, Alberta   Canada
>
> This communication is intended for the use of the recipient to  
> which it
> is addressed, and may contain confidential, personal, and/or  
> privileged
> information.  Please contact us immediately if you are not the  
> intended
> recipient of this communication.  If you are not the intended  
> recipient
> of this communication, do not copy, distribute, or take action on it.
> Any communication received in error, or subsequent reply, should be
> deleted or destroyed.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list