[RADIATOR] wireless to radius to ldap
Hugh Irvine
hugh at open.com.au
Tue Nov 3 01:25:51 CST 2009
Hello Zod -
To get the LDAP Debug 255 you need to run Radiator from the command
line:
cd /your/Radiator/source/directory
perl radiusd -foreground -log_stdout -trace 4 -config_file /your/
Radiator/configuration/file
.....
And you need to add LEAP to your list of EAPType's that you want to
process:
.....
<Handler>
<AuthBy FILE>
.....
EAPType LEAP, PEAP, TTLS, .....
.....
</AuthBy>
</Handler>
See section 5.18.22 in the Radiator 4.5 reference manual ("doc/
ref.pdf").
Please include a copy of the configuration file and a trace 4 debug so
I can see what is happening.
regards
Hugh
On 3 Nov 2009, at 17:59, zod at reachlocal.com wrote:
> I did something like that and did not work for me. I need to send
> debug output. I set Debug to 255 and do not get the verbose output
> that others get!
>
> Also what goes under File for leap authentication?
>
> Thx
> Zod
>
> Sent from my iPhone
>
> On Nov 2, 2009, at 10:32 PM, Hugh Irvine <hugh at open.com.au> wrote:
>
>>
>> Hello Zod -
>>
>> Something like this (see "goodies/eap_multi.cfg"):
>>
>>
>> .....
>>
>> # process PEAP inner requests
>>
>> <Handler TunnelledByPEAP = 1>
>>
>> <AuthBy LDAP2>
>> .....
>> </AuthBy>
>>
>> </Handler>
>>
>> # process TTLS inner requests
>>
>> <Handler TunnelledByTTLS = 1>
>>
>> <AuthBy LDAP2>
>> .....
>> </AuthBy>
>>
>> </Handler>
>>
>> # process outer requests
>> # this only sets up the encrypted tunnel
>>
>> <Handler>
>>
>> <AuthBy FILE>
>> .....
>> </AuthBy>
>>
>> </Handler>
>>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>> On 3 Nov 2009, at 03:47, Zod Mansour wrote:
>>
>>> Then I am probably not understanding the setup quite well. I
>>> thought that I could use either File or LDAP. So apparently I have
>>> to use both. Can you please give me a sample of using both
>>> together? I am assuming I will need the File to handle the
>>> authentication part and then the LDAP2 for the credentials? As I
>>> explained I have Macs, Windows, and Linux clients. I am trying to
>>> make this as painless as possible for both the admins or the
>>> users. So I thought LEAP is the easiest. I am using Radiator and
>>> OpenLDAP. Can you please give me a sample file to use the File and
>>> LDAP2? You have already seen how I use the AuthBy LDAP2 below. If
>>> I don't use NoEAP my OpenLDAP gets pissed off. So I probably need
>>> to talk to LDAP in the clear. Which is okay. The radiator and
>>> openldap are running on the same machine.
>>>
>>> Thx,
>>> Zod
>>>
>>> On Nov 2, 2009, at 1:39 AM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Zod -
>>>>
>>>> You would use an AuthBy FILE for the "outer" requests and an
>>>> AuthBy LDAP2 clause for the "inner" requests.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 2 Nov 2009, at 14:29, Zod Mansour wrote:
>>>>
>>>>> And how do I integrate ldap into eap_multi.cfg? Replace AuthBy
>>>>> File with AuthBy LDAP2?
>>>>> If I don't put the keyword NoEAP my openldap complains that it
>>>>> cannot do eap. So my guess is that I need for the radius to
>>>>> translate whatever authentication it receives to clear text and
>>>>> then send it to openldap.
>>>>>
>>>>> I will send a verbose debug output tomorrow.
>>>>>
>>>>> thx,
>>>>> Zod
>>>>>
>>>>> On Oct 30, 2009, at 1:12 AM, Hugh Irvine wrote:
>>>>>
>>>>>>
>>>>>> Hello Zod -
>>>>>>
>>>>>> I will need to see a more complete debug to say much, but
>>>>>> 802.1x is EAP, so you will have to configure EAP.
>>>>>>
>>>>>> I suggest you start with something like "goodies/eap_multi.cfg".
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 30 Oct 2009, at 09:06, Zod Mansour wrote:
>>>>>>
>>>>>>> I have done as much as I could with the radiator. Environment:
>>>>>>> Hosts: Mac, Linux, Windows
>>>>>>> Wireless: Cisco 2106
>>>>>>> Radius: Radiator
>>>>>>> Ldap: Openldap
>>>>>>> Auth: 802.1x
>>>>>>>
>>>>>>> So the clients need to authenticate against ldap. I get an
>>>>>>> Access-
>>>>>>> Reject. It looks like I can extract the password from the ldap
>>>>>>> and to
>>>>>>> the radius but then the matching breaks due to the mismatch of
>>>>>>> the
>>>>>>> encryption? Anyone?
>>>>>>>
>>>>>>>
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler
>>>>>>> 'Client-
>>>>>>> Identifier=default-handler'
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Deleting session for zod,
>>>>>>> 10.10.19.35, 6
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Handling with
>>>>>>> Radius::AuthLDAP2:
>>>>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP
>>>>>>> server
>>>>>>> localhost:389
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
>>>>>>> uid=zod,ou=People,dc=reachlocal,dc=com
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
>>>>>>> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for
>>>>>>> match
>>>>>>> with zod [zod]
>>>>>>> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-
>>>>>>> Password
>>>>>>> in request: does your dictionary have User-Password in it?
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
>>>>>>> Password: zod [zod]
>>>>>>> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
>>>>>>> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP
>>>>>>> server
>>>>>>> localhost:389
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found
>>>>>>> in LDAP
>>>>>>> database
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT,
>>>>>>> Bad
>>>>>>> Password
>>>>>>> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad
>>>>>>> Password
>>>>>>> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
>>>>>>> *** Sending to 10.10.19.35 port 32768 ....
>>>>>>>
>>>>>>> Packet length = 36
>>>>>>> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
>>>>>>> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
>>>>>>> 6e 69 65 64
>>>>>>> Code: Access-Reject
>>>>>>> Identifier: 122
>>>>>>> Authentic: <22><240><154><156>-<0>K<225><30><159>b<173>
>>>>>>> [<253>7<220>
>>>>>>> Attributes:
>>>>>>> Reply-Message = "Request Denied"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Here are my config files.
>>>>>>>
>>>>>>> radius.cfg:
>>>>>>>
>>>>>>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>>>>>>
>>>>>>> Foreground
>>>>>>> LogStdout
>>>>>>> LogDir /var/log/radius
>>>>>>> DbDir /etc/radiator
>>>>>>> # Use a low trace level in production systems. Increase
>>>>>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>>>>>> #Trace 3
>>>>>>> Trace 5
>>>>>>>
>>>>>>> # You will probably want to add other Clients to suit your site,
>>>>>>> # one for each NAS you want to work with
>>>>>>> <Client DEFAULT>
>>>>>>> Secret testing123
>>>>>>> Identifier default-handler
>>>>>>> DupInterval 0
>>>>>>> </Client>
>>>>>>>
>>>>>>> <Handler Client-Identifier=default-handler>
>>>>>>> <AuthBy LDAP2>
>>>>>>> Host localhost
>>>>>>> Port 389
>>>>>>> BaseDN dc=reachlocal,dc=com
>>>>>>> # see /etc/openldap/slapd.conf
>>>>>>> AuthDN cn=Manager, dc=rmydomain, dc=com
>>>>>>> AuthPassword mypass
>>>>>>> UsernameAttr uid
>>>>>>> #EncryptedPasswordAttr cryptpw
>>>>>>> PasswordAttr userPassword
>>>>>>> #PasswordAttr passwd
>>>>>>> #SearchFilter
>>>>>>> #EAPType LEAP
>>>>>>> NoEAP
>>>>>>> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-
>>>>>>> Private-Group-
>>>>>>> ID, Filter-Id, cisco-avpair
>>>>>>> #AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-
>>>>>>> ID=28,Tunnel-
>>>>>>> Type=VLAN
>>>>>>> AddToReply
>>>>>>> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>>>>>>> </AuthBy>
>>>>>>> </Handler>
>>>>>>>
>>>>>>>
>>>>>>> Also are these AddToReply correct for setting up vlans and
>>>>>>> getting
>>>>>>> 802.1x going?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> radiator mailing list
>>>>>>> radiator at open.com.au
>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>
>>>>>>
>>>>>>
>>>>>> NB:
>>>>>>
>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator
>>>>>> )?
>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>> Have you checked the RadiusExpert wiki:
>>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>>
>>>>>> --
>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>> server
>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>>> and DIAMETER translation agent.
>>>>>> -
>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>> extensible,
>>>>>> flexible with hardware, software, platform and database
>>>>>> independence.
>>>>>> -
>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>> systems.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator
>>>> )?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
>>>> extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator
>> )?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list