[RADIATOR] wireless to radius to ldap

Zod Mansour zod at reachlocal.com
Sun Nov 1 21:29:46 CST 2009


And how do I integrate ldap into eap_multi.cfg? Replace AuthBy File  
with AuthBy LDAP2?
If I don't put the keyword NoEAP my openldap complains that it cannot  
do eap. So my guess is that  I need for the radius to translate  
whatever authentication it receives to clear text and then send it to  
openldap.

I will send a verbose debug output tomorrow.

thx,
Zod

On Oct 30, 2009, at 1:12 AM, Hugh Irvine wrote:

>
> Hello Zod -
>
> I will need to see a more complete debug to say much, but 802.1x is  
> EAP, so you will have to configure EAP.
>
> I suggest you start with something like "goodies/eap_multi.cfg".
>
> regards
>
> Hugh
>
>
> On 30 Oct 2009, at 09:06, Zod Mansour wrote:
>
>> I have done as much as I could with the radiator. Environment:
>> Hosts: Mac, Linux, Windows
>> Wireless: Cisco 2106
>> Radius: Radiator
>> Ldap: Openldap
>> Auth: 802.1x
>>
>> So the clients need to authenticate against ldap. I get an Access-
>> Reject. It looks like I can extract the password from the ldap and to
>> the radius but then the matching breaks due to the mismatch of the
>> encryption? Anyone?
>>
>>
>> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler  
>> 'Client-
>> Identifier=default-handler'
>> Thu Oct 29 14:47:58 2009: DEBUG:  Deleting session for zod,
>> 10.10.19.35, 6
>> Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>> localhost:389
>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
>> uid=zod,ou=People,dc=reachlocal,dc=com
>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
>> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match
>> with zod [zod]
>> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-Password
>> in request: does your dictionary have User-Password in it?
>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>> Password: zod [zod]
>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>> localhost:389
>> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in LDAP
>> database
>> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>> Password
>> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad Password
>> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
>> *** Sending to 10.10.19.35 port 32768 ....
>>
>> Packet length = 36
>> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
>> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
>> 6e 69 65 64
>> Code:       Access-Reject
>> Identifier: 122
>> Authentic:  <22><240><154><156>-<0>K<225><30><159>b<173>[<253>7<220>
>> Attributes:
>> 	Reply-Message = "Request Denied"
>>
>>
>>
>> Here are my config files.
>>
>> radius.cfg:
>>
>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>
>> Foreground
>> LogStdout
>> LogDir		/var/log/radius
>> DbDir		/etc/radiator
>> # Use a low trace level in production systems. Increase
>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>> #Trace 		3
>> Trace 		5
>>
>> # You will probably want to add other Clients to suit your site,
>> # one for each NAS you want to work with
>> <Client DEFAULT>
>> 	Secret	testing123
>> 	Identifier default-handler
>> 	DupInterval 0
>> </Client>
>>
>> <Handler Client-Identifier=default-handler>
>> 	<AuthBy LDAP2>
>> 		Host localhost
>> 		Port 389
>> 		BaseDN dc=reachlocal,dc=com
>>                # see /etc/openldap/slapd.conf
>> 		AuthDN          cn=Manager, dc=rmydomain, dc=com
>> 		AuthPassword    mypass
>> 		UsernameAttr uid
>> 		#EncryptedPasswordAttr cryptpw
>> 		PasswordAttr userPassword
>> 		#PasswordAttr passwd
>> 		#SearchFilter
>> 		#EAPType LEAP
>> 		NoEAP
>> 		StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private- 
>> Group-
>> ID, Filter-Id, cisco-avpair
>> 		#AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-ID=28,Tunnel-
>> Type=VLAN
>> 		AddToReply  
>> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>> 	</AuthBy>
>> </Handler>
>>
>>
>> Also are these AddToReply correct for setting up vlans and getting
>> 802.1x going?
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>



More information about the radiator mailing list