[RADIATOR] wireless to radius to ldap
Zod Mansour
zod at reachlocal.com
Thu Oct 29 17:06:59 CDT 2009
I have done as much as I could with the radiator. Environment:
Hosts: Mac, Linux, Windows
Wireless: Cisco 2106
Radius: Radiator
Ldap: Openldap
Auth: 802.1x
So the clients need to authenticate against ldap. I get an Access-
Reject. It looks like I can extract the password from the ldap and to
the radius but then the matching breaks due to the mismatch of the
encryption? Anyone?
Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler 'Client-
Identifier=default-handler'
Thu Oct 29 14:47:58 2009: DEBUG: Deleting session for zod,
10.10.19.35, 6
Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
localhost:389
Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
uid=zod,ou=People,dc=reachlocal,dc=com
Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
$1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match
with zod [zod]
Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-Password
in request: does your dictionary have User-Password in it?
Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
Password: zod [zod]
Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
localhost:389
Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in LDAP
database
Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
Password
Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad Password
Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
*** Sending to 10.10.19.35 port 32768 ....
Packet length = 36
03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 122
Authentic: <22><240><154><156>-<0>K<225><30><159>b<173>[<253>7<220>
Attributes:
Reply-Message = "Request Denied"
Here are my config files.
radius.cfg:
# $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
#Trace 3
Trace 5
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret testing123
Identifier default-handler
DupInterval 0
</Client>
<Handler Client-Identifier=default-handler>
<AuthBy LDAP2>
Host localhost
Port 389
BaseDN dc=reachlocal,dc=com
# see /etc/openldap/slapd.conf
AuthDN cn=Manager, dc=rmydomain, dc=com
AuthPassword mypass
UsernameAttr uid
#EncryptedPasswordAttr cryptpw
PasswordAttr userPassword
#PasswordAttr passwd
#SearchFilter
#EAPType LEAP
NoEAP
StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-
ID, Filter-Id, cisco-avpair
#AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-ID=28,Tunnel-
Type=VLAN
AddToReply TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
</AuthBy>
</Handler>
Also are these AddToReply correct for setting up vlans and getting
802.1x going?
More information about the radiator
mailing list