[RADIATOR] wireless to radius to ldap
Hugh Irvine
hugh at open.com.au
Mon Nov 2 03:39:01 CST 2009
Hello Zod -
You would use an AuthBy FILE for the "outer" requests and an AuthBy
LDAP2 clause for the "inner" requests.
regards
Hugh
On 2 Nov 2009, at 14:29, Zod Mansour wrote:
> And how do I integrate ldap into eap_multi.cfg? Replace AuthBy File
> with AuthBy LDAP2?
> If I don't put the keyword NoEAP my openldap complains that it
> cannot do eap. So my guess is that I need for the radius to
> translate whatever authentication it receives to clear text and then
> send it to openldap.
>
> I will send a verbose debug output tomorrow.
>
> thx,
> Zod
>
> On Oct 30, 2009, at 1:12 AM, Hugh Irvine wrote:
>
>>
>> Hello Zod -
>>
>> I will need to see a more complete debug to say much, but 802.1x is
>> EAP, so you will have to configure EAP.
>>
>> I suggest you start with something like "goodies/eap_multi.cfg".
>>
>> regards
>>
>> Hugh
>>
>>
>> On 30 Oct 2009, at 09:06, Zod Mansour wrote:
>>
>>> I have done as much as I could with the radiator. Environment:
>>> Hosts: Mac, Linux, Windows
>>> Wireless: Cisco 2106
>>> Radius: Radiator
>>> Ldap: Openldap
>>> Auth: 802.1x
>>>
>>> So the clients need to authenticate against ldap. I get an Access-
>>> Reject. It looks like I can extract the password from the ldap and
>>> to
>>> the radius but then the matching breaks due to the mismatch of the
>>> encryption? Anyone?
>>>
>>>
>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler
>>> 'Client-
>>> Identifier=default-handler'
>>> Thu Oct 29 14:47:58 2009: DEBUG: Deleting session for zod,
>>> 10.10.19.35, 6
>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>> localhost:389
>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
>>> uid=zod,ou=People,dc=reachlocal,dc=com
>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
>>> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match
>>> with zod [zod]
>>> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-Password
>>> in request: does your dictionary have User-Password in it?
>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>> Password: zod [zod]
>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>> localhost:389
>>> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in
>>> LDAP
>>> database
>>> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>> Password
>>> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad
>>> Password
>>> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
>>> *** Sending to 10.10.19.35 port 32768 ....
>>>
>>> Packet length = 36
>>> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
>>> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
>>> 6e 69 65 64
>>> Code: Access-Reject
>>> Identifier: 122
>>> Authentic: <22><240><154><156>-<0>K<225><30><159>b<173>[<253>7<220>
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>>
>>>
>>> Here are my config files.
>>>
>>> radius.cfg:
>>>
>>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>>
>>> Foreground
>>> LogStdout
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>> # Use a low trace level in production systems. Increase
>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>> #Trace 3
>>> Trace 5
>>>
>>> # You will probably want to add other Clients to suit your site,
>>> # one for each NAS you want to work with
>>> <Client DEFAULT>
>>> Secret testing123
>>> Identifier default-handler
>>> DupInterval 0
>>> </Client>
>>>
>>> <Handler Client-Identifier=default-handler>
>>> <AuthBy LDAP2>
>>> Host localhost
>>> Port 389
>>> BaseDN dc=reachlocal,dc=com
>>> # see /etc/openldap/slapd.conf
>>> AuthDN cn=Manager, dc=rmydomain, dc=com
>>> AuthPassword mypass
>>> UsernameAttr uid
>>> #EncryptedPasswordAttr cryptpw
>>> PasswordAttr userPassword
>>> #PasswordAttr passwd
>>> #SearchFilter
>>> #EAPType LEAP
>>> NoEAP
>>> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-
>>> Group-
>>> ID, Filter-Id, cisco-avpair
>>> #AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-ID=28,Tunnel-
>>> Type=VLAN
>>> AddToReply
>>> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>> Also are these AddToReply correct for setting up vlans and getting
>>> 802.1x going?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator
>> )?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list