[RADIATOR] wireless to radius to ldap
Zod Mansour
zod at reachlocal.com
Mon Nov 2 10:47:53 CST 2009
Then I am probably not understanding the setup quite well. I thought
that I could use either File or LDAP. So apparently I have to use
both. Can you please give me a sample of using both together? I am
assuming I will need the File to handle the authentication part and
then the LDAP2 for the credentials? As I explained I have Macs,
Windows, and Linux clients. I am trying to make this as painless as
possible for both the admins or the users. So I thought LEAP is the
easiest. I am using Radiator and OpenLDAP. Can you please give me a
sample file to use the File and LDAP2? You have already seen how I use
the AuthBy LDAP2 below. If I don't use NoEAP my OpenLDAP gets pissed
off. So I probably need to talk to LDAP in the clear. Which is okay.
The radiator and openldap are running on the same machine.
Thx,
Zod
On Nov 2, 2009, at 1:39 AM, Hugh Irvine wrote:
>
> Hello Zod -
>
> You would use an AuthBy FILE for the "outer" requests and an AuthBy
> LDAP2 clause for the "inner" requests.
>
> regards
>
> Hugh
>
>
> On 2 Nov 2009, at 14:29, Zod Mansour wrote:
>
>> And how do I integrate ldap into eap_multi.cfg? Replace AuthBy File
>> with AuthBy LDAP2?
>> If I don't put the keyword NoEAP my openldap complains that it
>> cannot do eap. So my guess is that I need for the radius to
>> translate whatever authentication it receives to clear text and
>> then send it to openldap.
>>
>> I will send a verbose debug output tomorrow.
>>
>> thx,
>> Zod
>>
>> On Oct 30, 2009, at 1:12 AM, Hugh Irvine wrote:
>>
>>>
>>> Hello Zod -
>>>
>>> I will need to see a more complete debug to say much, but 802.1x
>>> is EAP, so you will have to configure EAP.
>>>
>>> I suggest you start with something like "goodies/eap_multi.cfg".
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 30 Oct 2009, at 09:06, Zod Mansour wrote:
>>>
>>>> I have done as much as I could with the radiator. Environment:
>>>> Hosts: Mac, Linux, Windows
>>>> Wireless: Cisco 2106
>>>> Radius: Radiator
>>>> Ldap: Openldap
>>>> Auth: 802.1x
>>>>
>>>> So the clients need to authenticate against ldap. I get an Access-
>>>> Reject. It looks like I can extract the password from the ldap
>>>> and to
>>>> the radius but then the matching breaks due to the mismatch of the
>>>> encryption? Anyone?
>>>>
>>>>
>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler
>>>> 'Client-
>>>> Identifier=default-handler'
>>>> Thu Oct 29 14:47:58 2009: DEBUG: Deleting session for zod,
>>>> 10.10.19.35, 6
>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>>> localhost:389
>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
>>>> uid=zod,ou=People,dc=reachlocal,dc=com
>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
>>>> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match
>>>> with zod [zod]
>>>> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-
>>>> Password
>>>> in request: does your dictionary have User-Password in it?
>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>>> Password: zod [zod]
>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>>> localhost:389
>>>> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in
>>>> LDAP
>>>> database
>>>> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>>> Password
>>>> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad
>>>> Password
>>>> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
>>>> *** Sending to 10.10.19.35 port 32768 ....
>>>>
>>>> Packet length = 36
>>>> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
>>>> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
>>>> 6e 69 65 64
>>>> Code: Access-Reject
>>>> Identifier: 122
>>>> Authentic: <22><240><154><156>-
>>>> <0>K<225><30><159>b<173>[<253>7<220>
>>>> Attributes:
>>>> Reply-Message = "Request Denied"
>>>>
>>>>
>>>>
>>>> Here are my config files.
>>>>
>>>> radius.cfg:
>>>>
>>>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>>>
>>>> Foreground
>>>> LogStdout
>>>> LogDir /var/log/radius
>>>> DbDir /etc/radiator
>>>> # Use a low trace level in production systems. Increase
>>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>>> #Trace 3
>>>> Trace 5
>>>>
>>>> # You will probably want to add other Clients to suit your site,
>>>> # one for each NAS you want to work with
>>>> <Client DEFAULT>
>>>> Secret testing123
>>>> Identifier default-handler
>>>> DupInterval 0
>>>> </Client>
>>>>
>>>> <Handler Client-Identifier=default-handler>
>>>> <AuthBy LDAP2>
>>>> Host localhost
>>>> Port 389
>>>> BaseDN dc=reachlocal,dc=com
>>>> # see /etc/openldap/slapd.conf
>>>> AuthDN cn=Manager, dc=rmydomain, dc=com
>>>> AuthPassword mypass
>>>> UsernameAttr uid
>>>> #EncryptedPasswordAttr cryptpw
>>>> PasswordAttr userPassword
>>>> #PasswordAttr passwd
>>>> #SearchFilter
>>>> #EAPType LEAP
>>>> NoEAP
>>>> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-
>>>> Group-
>>>> ID, Filter-Id, cisco-avpair
>>>> #AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-ID=28,Tunnel-
>>>> Type=VLAN
>>>> AddToReply
>>>> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>>>> </AuthBy>
>>>> </Handler>
>>>>
>>>>
>>>> Also are these AddToReply correct for setting up vlans and getting
>>>> 802.1x going?
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database
>>> independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like
>>> systems.
>>>
>>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
More information about the radiator
mailing list