[RADIATOR] wireless to radius to ldap

Hugh Irvine hugh at open.com.au
Fri Oct 30 03:12:33 CDT 2009 

Hello Zod -

I will need to see a more complete debug to say much, but 802.1x is  
EAP, so you will have to configure EAP.

I suggest you start with something like "goodies/eap_multi.cfg".

regards

Hugh


On 30 Oct 2009, at 09:06, Zod Mansour wrote:

> I have done as much as I could with the radiator. Environment:
> Hosts: Mac, Linux, Windows
> Wireless: Cisco 2106
> Radius: Radiator
> Ldap: Openldap
> Auth: 802.1x
>
> So the clients need to authenticate against ldap. I get an Access-
> Reject. It looks like I can extract the password from the ldap and to
> the radius but then the matching breaks due to the mismatch of the
> encryption? Anyone?
>
>
> Thu Oct 29 14:47:58 2009: DEBUG: Handling request with Handler  
> 'Client-
> Identifier=default-handler'
> Thu Oct 29 14:47:58 2009: DEBUG:  Deleting session for zod,
> 10.10.19.35, 6
> Thu Oct 29 14:47:58 2009: DEBUG: Handling with Radius::AuthLDAP2:
> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
> localhost:389
> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got result for
> uid=zod,ou=People,dc=reachlocal,dc=com
> Thu Oct 29 14:47:58 2009: DEBUG: LDAP got userPassword: {crypt}
> $1$G5nM1ydp$1/J.oGhql3P.c7aYXswu20
> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 looks for match
> with zod [zod]
> Thu Oct 29 14:47:58 2009: WARNING: No CHAP-Password or User-Password
> in request: does your dictionary have User-Password in it?
> Thu Oct 29 14:47:58 2009: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password: zod [zod]
> Thu Oct 29 14:47:58 2009: INFO: Connecting to localhost:389
> Thu Oct 29 14:47:58 2009: INFO: Attempting to bind to LDAP server
> localhost:389
> Thu Oct 29 14:47:58 2009: DEBUG: No entries for DEFAULT found in LDAP
> database
> Thu Oct 29 14:47:58 2009: DEBUG: AuthBy LDAP2 result: REJECT, Bad
> Password
> Thu Oct 29 14:47:58 2009: INFO: Access rejected for zod: Bad Password
> Thu Oct 29 14:47:58 2009: DEBUG: Packet dump:
> *** Sending to 10.10.19.35 port 32768 ....
>
> Packet length = 36
> 03 7a 00 24 16 f0 9a 9c 2d 00 4b e1 1e 9f 62 ad
> 5b fd 37 dc 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 122
> Authentic:  <22><240><154><156>-<0>K<225><30><159>b<173>[<253>7<220>
> Attributes:
> 	Reply-Message = "Request Denied"
>
>
>
> Here are my config files.
>
> radius.cfg:
>
> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>
> Foreground
> LogStdout
> LogDir		/var/log/radius
> DbDir		/etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> #Trace 		3
> Trace 		5
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> 	Secret	testing123
> 	Identifier default-handler
> 	DupInterval 0
> </Client>
>
> <Handler Client-Identifier=default-handler>
> 	<AuthBy LDAP2>
> 		Host localhost
> 		Port 389
> 		BaseDN dc=reachlocal,dc=com
>                 # see /etc/openldap/slapd.conf
> 		AuthDN          cn=Manager, dc=rmydomain, dc=com
> 		AuthPassword    mypass
> 		UsernameAttr uid
> 		#EncryptedPasswordAttr cryptpw
> 		PasswordAttr userPassword
> 		#PasswordAttr passwd
> 		#SearchFilter
> 		#EAPType LEAP
> 		NoEAP
> 		StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private- 
> Group-
> ID, Filter-Id, cisco-avpair
> 		#AddToReply Tunnel-Medium-Type=802,Tunnel-Pvt-Group-ID=28,Tunnel-
> Type=VLAN
> 		AddToReply  
> TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
> 	</AuthBy>
> </Handler>
>
>
> Also are these AddToReply correct for setting up vlans and getting
> 802.1x going?
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list