[RADIATOR] wireless to radius to ldap

Zod Mansour zod at reachlocal.com
Thu Oct 29 17:06:59 CDT 2009 

I have done as much as I could with the radiator. Environment:
Hosts: Mac, Linux, Windows
Wireless: Cisco 2106
Radius: Radiator
Ldap: Openldap
Auth: 802.1x

So the clients need to authenticate against ldap. I get an Access- 
Reject. It looks like I can extract the password from the ldap and to  
the radius but then the matching breaks due to the mismatch of the  
encryption? Anyone?


Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler 'Client- 
Identifier=default-handler'
Thu Oct 29 14:47:58 2009: DEBUG:  Deleting session for zod,  
10.10.19.35, 6
Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server  
localhost:389
Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for  
uid=zod,ou=People,dc=reachlocal,dc=com
Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt} 
$1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match  
with zod [zod]
Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-Password  
in request: does your dictionary have User-Password in it?
Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad  
Password: zod [zod]
Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server  
localhost:389
Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in LDAP  
database
Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad  
Password
Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad Password
Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
*** Sending to 10.10.19.35 port 32768 ....

Packet length = 36
03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 122
Authentic:  <22><240><154><156>-<0>K<225><30><159>b<173>[<253>7<220>
Attributes:
	Reply-Message = "Request Denied"



Here are my config files.

radius.cfg:

# $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $

Foreground
LogStdout
LogDir		/var/log/radius
DbDir		/etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
#Trace 		3
Trace 		5

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	testing123
	Identifier default-handler
	DupInterval 0
</Client>

<Handler Client-Identifier=default-handler>
	<AuthBy LDAP2>
		Host localhost
		Port 389
		BaseDN dc=reachlocal,dc=com
                 # see /etc/openldap/slapd.conf
		AuthDN          cn=Manager, dc=rmydomain, dc=com
		AuthPassword    mypass
		UsernameAttr uid
		#EncryptedPasswordAttr cryptpw
		PasswordAttr userPassword
		#PasswordAttr passwd
		#SearchFilter
		#EAPType LEAP
		NoEAP
		StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group- 
ID, Filter-Id, cisco-avpair
		#AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-ID=28,Tunnel- 
Type=VLAN
		AddToReply TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
	</AuthBy>
</Handler>


Also are these AddToReply correct for setting up vlans and getting  
802.1x going?

More information about the radiator mailing list