[RADIATOR] wireless to radius to ldap

Hugh Irvine hugh at open.com.au
Tue Nov 3 00:31:55 CST 2009 

Hello Zod -

Something like this (see "goodies/eap_multi.cfg"):


.....

# process PEAP inner requests

<Handler TunnelledByPEAP = 1>

	<AuthBy LDAP2>
		.....
	</AuthBy>

</Handler>

# process TTLS inner requests

<Handler TunnelledByTTLS = 1>

	<AuthBy LDAP2>
		.....
	</AuthBy>

</Handler>

# process outer requests
# this only sets up the encrypted tunnel

<Handler>

	<AuthBy FILE>
		.....
	</AuthBy>

</Handler>



regards

Hugh




On 3 Nov 2009, at 03:47, Zod Mansour wrote:

> Then I am probably not understanding the setup quite well. I thought  
> that I could use either File or LDAP. So apparently I have to use  
> both. Can you please give me a sample of using both together? I am  
> assuming I will need the File to handle the authentication part and  
> then the LDAP2 for the credentials? As I explained I have Macs,  
> Windows, and Linux clients. I am trying to make this as painless as  
> possible for both the admins or the users. So I thought LEAP is the  
> easiest. I am using Radiator and OpenLDAP. Can you please give me a  
> sample file to use the File and LDAP2? You have already seen how I  
> use the AuthBy LDAP2 below.  If I don't use NoEAP my OpenLDAP gets  
> pissed off. So I probably need to talk to LDAP in the clear. Which  
> is okay. The radiator and openldap are running on the same machine.
>
> Thx,
> Zod
>
> On Nov 2, 2009, at 1:39 AM, Hugh Irvine wrote:
>
>>
>> Hello Zod -
>>
>> You would use an AuthBy FILE for the "outer" requests and an AuthBy  
>> LDAP2 clause for the "inner" requests.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 2 Nov 2009, at 14:29, Zod Mansour wrote:
>>
>>> And how do I integrate ldap into eap_multi.cfg? Replace AuthBy  
>>> File with AuthBy LDAP2?
>>> If I don't put the keyword NoEAP my openldap complains that it  
>>> cannot do eap. So my guess is that  I need for the radius to  
>>> translate whatever authentication it receives to clear text and  
>>> then send it to openldap.
>>>
>>> I will send a verbose debug output tomorrow.
>>>
>>> thx,
>>> Zod
>>>
>>> On Oct 30, 2009, at 1:12 AM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Zod -
>>>>
>>>> I will need to see a more complete debug to say much, but 802.1x  
>>>> is EAP, so you will have to configure EAP.
>>>>
>>>> I suggest you start with something like "goodies/eap_multi.cfg".
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 30 Oct 2009, at 09:06, Zod Mansour wrote:
>>>>
>>>>> I have done as much as I could with the radiator. Environment:
>>>>> Hosts: Mac, Linux, Windows
>>>>> Wireless: Cisco 2106
>>>>> Radius: Radiator
>>>>> Ldap: Openldap
>>>>> Auth: 802.1x
>>>>>
>>>>> So the clients need to authenticate against ldap. I get an Access-
>>>>> Reject. It looks like I can extract the password from the ldap  
>>>>> and to
>>>>> the radius but then the matching breaks due to the mismatch of the
>>>>> encryption? Anyone?
>>>>>
>>>>>
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler  
>>>>> 'Client-
>>>>> Identifier=default-handler'
>>>>> Thu Oct 29 14:47:58 2009: DEBUG:  Deleting session for zod,
>>>>> 10.10.19.35, 6
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>>>> localhost:389
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
>>>>> uid=zod,ou=People,dc=reachlocal,dc=com
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
>>>>> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match
>>>>> with zod [zod]
>>>>> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User- 
>>>>> Password
>>>>> in request: does your dictionary have User-Password in it?
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>>>> Password: zod [zod]
>>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>>>> localhost:389
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in  
>>>>> LDAP
>>>>> database
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>>>> Password
>>>>> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad  
>>>>> Password
>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
>>>>> *** Sending to 10.10.19.35 port 32768 ....
>>>>>
>>>>> Packet length = 36
>>>>> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
>>>>> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
>>>>> 6e 69 65 64
>>>>> Code:       Access-Reject
>>>>> Identifier: 122
>>>>> Authentic:  <22><240><154><156>-<0>K<225><30><159>b<173> 
>>>>> [<253>7<220>
>>>>> Attributes:
>>>>> 	Reply-Message = "Request Denied"
>>>>>
>>>>>
>>>>>
>>>>> Here are my config files.
>>>>>
>>>>> radius.cfg:
>>>>>
>>>>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>>>>
>>>>> Foreground
>>>>> LogStdout
>>>>> LogDir		/var/log/radius
>>>>> DbDir		/etc/radiator
>>>>> # Use a low trace level in production systems. Increase
>>>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>>>> #Trace 		3
>>>>> Trace 		5
>>>>>
>>>>> # You will probably want to add other Clients to suit your site,
>>>>> # one for each NAS you want to work with
>>>>> <Client DEFAULT>
>>>>> 	Secret	testing123
>>>>> 	Identifier default-handler
>>>>> 	DupInterval 0
>>>>> </Client>
>>>>>
>>>>> <Handler Client-Identifier=default-handler>
>>>>> 	<AuthBy LDAP2>
>>>>> 		Host localhost
>>>>> 		Port 389
>>>>> 		BaseDN dc=reachlocal,dc=com
>>>>>             # see /etc/openldap/slapd.conf
>>>>> 		AuthDN          cn=Manager, dc=rmydomain, dc=com
>>>>> 		AuthPassword    mypass
>>>>> 		UsernameAttr uid
>>>>> 		#EncryptedPasswordAttr cryptpw
>>>>> 		PasswordAttr userPassword
>>>>> 		#PasswordAttr passwd
>>>>> 		#SearchFilter
>>>>> 		#EAPType LEAP
>>>>> 		NoEAP
>>>>> 		StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private- 
>>>>> Group-
>>>>> ID, Filter-Id, cisco-avpair
>>>>> 		#AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group- 
>>>>> ID=28,Tunnel-
>>>>> Type=VLAN
>>>>> 		AddToReply  
>>>>> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>>>>> 	</AuthBy>
>>>>> </Handler>
>>>>>
>>>>>
>>>>> Also are these AddToReply correct for setting up vlans and getting
>>>>> 802.1x going?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator 
>>>> )?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,  
>>>> extensible,
>>>> flexible with hardware, software, platform and database  
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>> systems.
>>>>
>>>>
>>>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator 
>> )?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list