[RADIATOR] wireless to radius to ldap

Hugh Irvine hugh at open.com.au
Mon Nov 2 03:28:59 CST 2009


Hello Zod -

Please include a copy of your configuration file with the debug.

regards

Hugh


On 2 Nov 2009, at 14:29, Zod Mansour wrote:

> And how do I integrate ldap into eap_multi.cfg? Replace AuthBy File  
> with AuthBy LDAP2?
> If I don't put the keyword NoEAP my openldap complains that it  
> cannot do eap. So my guess is that  I need for the radius to  
> translate whatever authentication it receives to clear text and then  
> send it to openldap.
>
> I will send a verbose debug output tomorrow.
>
> thx,
> Zod
>
> On Oct 30, 2009, at 1:12 AM, Hugh Irvine wrote:
>
>>
>> Hello Zod -
>>
>> I will need to see a more complete debug to say much, but 802.1x is  
>> EAP, so you will have to configure EAP.
>>
>> I suggest you start with something like "goodies/eap_multi.cfg".
>>
>> regards
>>
>> Hugh
>>
>>
>> On 30 Oct 2009, at 09:06, Zod Mansour wrote:
>>
>>> I have done as much as I could with the radiator. Environment:
>>> Hosts: Mac, Linux, Windows
>>> Wireless: Cisco 2106
>>> Radius: Radiator
>>> Ldap: Openldap
>>> Auth: 802.1x
>>>
>>> So the clients need to authenticate against ldap. I get an Access-
>>> Reject. It looks like I can extract the password from the ldap and  
>>> to
>>> the radius but then the matching breaks due to the mismatch of the
>>> encryption? Anyone?
>>>
>>>
>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler  
>>> 'Client-
>>> Identifier=default-handler'
>>> Thu Oct 29 14:47:58 2009: DEBUG:  Deleting session for zod,
>>> 10.10.19.35, 6
>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>> localhost:389
>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
>>> uid=zod,ou=People,dc=reachlocal,dc=com
>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
>>> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match
>>> with zod [zod]
>>> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-Password
>>> in request: does your dictionary have User-Password in it?
>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>> Password: zod [zod]
>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>> localhost:389
>>> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in  
>>> LDAP
>>> database
>>> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>> Password
>>> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad  
>>> Password
>>> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
>>> *** Sending to 10.10.19.35 port 32768 ....
>>>
>>> Packet length = 36
>>> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
>>> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
>>> 6e 69 65 64
>>> Code:       Access-Reject
>>> Identifier: 122
>>> Authentic:  <22><240><154><156>-<0>K<225><30><159>b<173>[<253>7<220>
>>> Attributes:
>>> 	Reply-Message = "Request Denied"
>>>
>>>
>>>
>>> Here are my config files.
>>>
>>> radius.cfg:
>>>
>>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>>
>>> Foreground
>>> LogStdout
>>> LogDir		/var/log/radius
>>> DbDir		/etc/radiator
>>> # Use a low trace level in production systems. Increase
>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>> #Trace 		3
>>> Trace 		5
>>>
>>> # You will probably want to add other Clients to suit your site,
>>> # one for each NAS you want to work with
>>> <Client DEFAULT>
>>> 	Secret	testing123
>>> 	Identifier default-handler
>>> 	DupInterval 0
>>> </Client>
>>>
>>> <Handler Client-Identifier=default-handler>
>>> 	<AuthBy LDAP2>
>>> 		Host localhost
>>> 		Port 389
>>> 		BaseDN dc=reachlocal,dc=com
>>>               # see /etc/openldap/slapd.conf
>>> 		AuthDN          cn=Manager, dc=rmydomain, dc=com
>>> 		AuthPassword    mypass
>>> 		UsernameAttr uid
>>> 		#EncryptedPasswordAttr cryptpw
>>> 		PasswordAttr userPassword
>>> 		#PasswordAttr passwd
>>> 		#SearchFilter
>>> 		#EAPType LEAP
>>> 		NoEAP
>>> 		StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private- 
>>> Group-
>>> ID, Filter-Id, cisco-avpair
>>> 		#AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-ID=28,Tunnel-
>>> Type=VLAN
>>> 		AddToReply  
>>> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>>> 	</AuthBy>
>>> </Handler>
>>>
>>>
>>> Also are these AddToReply correct for setting up vlans and getting
>>> 802.1x going?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator 
>> )?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list