[RADIATOR] wireless to radius to ldap
zod at reachlocal.com
zod at reachlocal.com
Tue Nov 3 00:59:41 CST 2009
I did something like that and did not work for me. I need to send
debug output. I set Debug to 255 and do not get the verbose output
that others get!
Also what goes under File for leap authentication?
Thx
Zod
Sent from my iPhone
On Nov 2, 2009, at 10:32 PM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello Zod -
>
> Something like this (see "goodies/eap_multi.cfg"):
>
>
> .....
>
> # process PEAP inner requests
>
> <Handler TunnelledByPEAP = 1>
>
> <AuthBy LDAP2>
> .....
> </AuthBy>
>
> </Handler>
>
> # process TTLS inner requests
>
> <Handler TunnelledByTTLS = 1>
>
> <AuthBy LDAP2>
> .....
> </AuthBy>
>
> </Handler>
>
> # process outer requests
> # this only sets up the encrypted tunnel
>
> <Handler>
>
> <AuthBy FILE>
> .....
> </AuthBy>
>
> </Handler>
>
>
>
> regards
>
> Hugh
>
>
>
>
> On 3 Nov 2009, at 03:47, Zod Mansour wrote:
>
>> Then I am probably not understanding the setup quite well. I
>> thought that I could use either File or LDAP. So apparently I have
>> to use both. Can you please give me a sample of using both
>> together? I am assuming I will need the File to handle the
>> authentication part and then the LDAP2 for the credentials? As I
>> explained I have Macs, Windows, and Linux clients. I am trying to
>> make this as painless as possible for both the admins or the users.
>> So I thought LEAP is the easiest. I am using Radiator and OpenLDAP.
>> Can you please give me a sample file to use the File and LDAP2? You
>> have already seen how I use the AuthBy LDAP2 below. If I don't use
>> NoEAP my OpenLDAP gets pissed off. So I probably need to talk to
>> LDAP in the clear. Which is okay. The radiator and openldap are
>> running on the same machine.
>>
>> Thx,
>> Zod
>>
>> On Nov 2, 2009, at 1:39 AM, Hugh Irvine wrote:
>>
>>>
>>> Hello Zod -
>>>
>>> You would use an AuthBy FILE for the "outer" requests and an
>>> AuthBy LDAP2 clause for the "inner" requests.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 2 Nov 2009, at 14:29, Zod Mansour wrote:
>>>
>>>> And how do I integrate ldap into eap_multi.cfg? Replace AuthBy
>>>> File with AuthBy LDAP2?
>>>> If I don't put the keyword NoEAP my openldap complains that it
>>>> cannot do eap. So my guess is that I need for the radius to
>>>> translate whatever authentication it receives to clear text and
>>>> then send it to openldap.
>>>>
>>>> I will send a verbose debug output tomorrow.
>>>>
>>>> thx,
>>>> Zod
>>>>
>>>> On Oct 30, 2009, at 1:12 AM, Hugh Irvine wrote:
>>>>
>>>>>
>>>>> Hello Zod -
>>>>>
>>>>> I will need to see a more complete debug to say much, but 802.1x
>>>>> is EAP, so you will have to configure EAP.
>>>>>
>>>>> I suggest you start with something like "goodies/eap_multi.cfg".
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 30 Oct 2009, at 09:06, Zod Mansour wrote:
>>>>>
>>>>>> I have done as much as I could with the radiator. Environment:
>>>>>> Hosts: Mac, Linux, Windows
>>>>>> Wireless: Cisco 2106
>>>>>> Radius: Radiator
>>>>>> Ldap: Openldap
>>>>>> Auth: 802.1x
>>>>>>
>>>>>> So the clients need to authenticate against ldap. I get an
>>>>>> Access-
>>>>>> Reject. It looks like I can extract the password from the ldap
>>>>>> and to
>>>>>> the radius but then the matching breaks due to the mismatch of
>>>>>> the
>>>>>> encryption? Anyone?
>>>>>>
>>>>>>
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler
>>>>>> 'Client-
>>>>>> Identifier=default-handler'
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Deleting session for zod,
>>>>>> 10.10.19.35, 6
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>>>>> localhost:389
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
>>>>>> uid=zod,ou=People,dc=reachlocal,dc=com
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
>>>>>> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for
>>>>>> match
>>>>>> with zod [zod]
>>>>>> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-
>>>>>> Password
>>>>>> in request: does your dictionary have User-Password in it?
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>>>>> Password: zod [zod]
>>>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
>>>>>> localhost:389
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found
>>>>>> in LDAP
>>>>>> database
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>>>>> Password
>>>>>> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad
>>>>>> Password
>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
>>>>>> *** Sending to 10.10.19.35 port 32768 ....
>>>>>>
>>>>>> Packet length = 36
>>>>>> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
>>>>>> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
>>>>>> 6e 69 65 64
>>>>>> Code: Access-Reject
>>>>>> Identifier: 122
>>>>>> Authentic: <22><240><154><156>-<0>K<225><30><159>b<173>
>>>>>> [<253>7<220>
>>>>>> Attributes:
>>>>>> Reply-Message = "Request Denied"
>>>>>>
>>>>>>
>>>>>>
>>>>>> Here are my config files.
>>>>>>
>>>>>> radius.cfg:
>>>>>>
>>>>>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>>>>>
>>>>>> Foreground
>>>>>> LogStdout
>>>>>> LogDir /var/log/radius
>>>>>> DbDir /etc/radiator
>>>>>> # Use a low trace level in production systems. Increase
>>>>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>>>>> #Trace 3
>>>>>> Trace 5
>>>>>>
>>>>>> # You will probably want to add other Clients to suit your site,
>>>>>> # one for each NAS you want to work with
>>>>>> <Client DEFAULT>
>>>>>> Secret testing123
>>>>>> Identifier default-handler
>>>>>> DupInterval 0
>>>>>> </Client>
>>>>>>
>>>>>> <Handler Client-Identifier=default-handler>
>>>>>> <AuthBy LDAP2>
>>>>>> Host localhost
>>>>>> Port 389
>>>>>> BaseDN dc=reachlocal,dc=com
>>>>>> # see /etc/openldap/slapd.conf
>>>>>> AuthDN cn=Manager, dc=rmydomain, dc=com
>>>>>> AuthPassword mypass
>>>>>> UsernameAttr uid
>>>>>> #EncryptedPasswordAttr cryptpw
>>>>>> PasswordAttr userPassword
>>>>>> #PasswordAttr passwd
>>>>>> #SearchFilter
>>>>>> #EAPType LEAP
>>>>>> NoEAP
>>>>>> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-
>>>>>> Private-Group-
>>>>>> ID, Filter-Id, cisco-avpair
>>>>>> #AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-
>>>>>> ID=28,Tunnel-
>>>>>> Type=VLAN
>>>>>> AddToReply
>>>>>> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>>>>>> </AuthBy>
>>>>>> </Handler>
>>>>>>
>>>>>>
>>>>>> Also are these AddToReply correct for setting up vlans and
>>>>>> getting
>>>>>> 802.1x going?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator
>>>>> )?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>> Have you checked the RadiusExpert wiki:
>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>
>>>>> --
>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>> server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>> and DIAMETER translation agent.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical,
>>>>> extensible,
>>>>> flexible with hardware, software, platform and database
>>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>> systems.
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator
>>> )?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database
>>> independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like
>>> systems.
>>>
>>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator
> )?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
More information about the radiator
mailing list