[RADIATOR] Windows AD authentication with radius
Corey Gray
corey at tsa.com.au
Thu Jan 28 18:58:09 CST 2010
Sorry I posted the wrong configuration file.. The correct file is below
LogDir /var/log/radius
Dir /etc/radiator
Trace 5
#Trace 3
<Client 192.168.xxx.xxx >
Secret mysecretpasswordhere
</Client>
# requests will be processed here
# define Realm(s) or Handler(s)
<Handler>
# use AuthBy LDAP2 for AD
<AuthBy NTLM>
#always connect to one of TSA AU server
host kermit beaker
#Connect Via SSL port
Port 636
#Authenticate Radius Server
AuthDN Radiator_Username
AuthPassword Radiator_Password
#Start search Here
BaseDN ou=_TSA,ou=Users
#Use UID to match names
UsernameAttr uid
PasswordAttr
</AuthBy>
</Handler>
Regards
Corey
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Corey Gray
Sent: Friday, 29 January 2010 10:51 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Windows AD authentication with radius
I have done as suggested and it seems I am running into more problems. Here is a Trace 5
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'Dir' in /etc/radiator/radius.cfg line 2
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'host' in /etc/radiator/radius.cfg line 15
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'Port' in /etc/radiator/radius.cfg line 17
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'AuthDN' in /etc/radiator/radius.cfg line 19
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'AuthPassword' in /etc/radiator/radius.cfg line 20
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'BaseDN' in /etc/radiator/radius.cfg line 22
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'UsernameAttr' in /etc/radiator/radius.cfg line 24
Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'PasswordAttr' in /etc/radiator/radius.cfg line 25
Fri Jan 29 10:48:00 2010: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Fri Jan 29 10:48:00 2010: DEBUG: Reading dictionary file '/usr/local/etc/raddb/dictionary'
Fri Jan 29 10:48:01 2010: NOTICE: Server started: Radiator 4.5.1 on Radiator (LOCKED)
It seems that it is reading the dictionary after the config file and therefore doesn’t recognize and of the config settings
Here is my radius.cfg
LogDir /var/log/radius
Dir /etc/radiator
DictionaryFile %D/dictionary
Trace 5
#Trace 3
<Client 192.168.XX.XX >
Secret mysecret
</Client>
# requests will be processed here
# define Realm(s) or Handler(s)
<Handler>
# use AuthBy NTLM for AD
<AuthBy NTLM>
Domain TSA
Default Domain TSA
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
</AuthBy>
</Handler>
Im assuming client is my access points IP?
Any help is greatly appreciated
Regards
Corey
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Alexander Hartmaier
Sent: Thursday, 28 January 2010 6:55 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Windows AD authentication with radius
I'd suggest to use AuthBy LDAP2 to be able to limit the allowed users to
groups or other user attributes (like not-locked, ...).
--
Best regards, Alex
Am Donnerstag, den 28.01.2010, 01:23 +0100 schrieb Hugh Irvine:
> Hello Corey -
>
> There are typos in your configuration file for the <Client ...> - and you should probably use AuthBy NTLM.
>
> The configuration file should look more like this:
>
> .....
>
> # the Client clause(s) list the devices from which we will accept RADIUS requests
>
> <Client 1.1.1.1>
> Secret somesecret
> .....
> </Client>
>
> # requests will be processed here
> # define Realm(s) or Handler(s)
>
> <Handler>
> # use AuthBy NTLM for AD
> <AuthBy NTLM>
> .....
> </AuthBy>
> </Handler>
>
>
> There is also already some process using ports 1645 and 1646 which you will need to terminate before you can run Radiator on these ports.
>
> See section 5.65 in the Radiator 4.5.1 reference manual ("doc/ref.pdf") and the example configuration file in "goodies/ntlm.cfg" and "goodies/ntlm_eap_*.cfg".
>
> regards
>
> Hugh
>
>
>
> On 28 Jan 2010, at 09:43, Corey Gray wrote:
>
> > Hi,
> > I have just been asked to test radiator to secure our wireless network. The requirement is to authenticate users from AD using there common name. I have tried to configure this in the config file but am having a bit of trouble getting radiator to parse the file correctly (im sure my file is inconsistent with radiators requirements) config details
> >
> >
> > Platform RHEL 5.3
> > Radiator 4.4
> >
> > LogDir /var/log/radius
> > DbDir /etc/radiator
> > Trace 4
> >
> > <client DEFAULT>
> > <AuthBy ADSI>
> > BindString LDAP://cn=%0,cn=users,dc=tsa,dc=com,dc=au
> > AuthUser cn=%0,cn=users,dc=tsa,dc=com,dc=au
> > AuthFlags 0
> > </AuthBy>
> > secret testpass
> > DupInterval 0
> > <Realm tsa.com.au>
> >
> > </Realm>
> > <Realm DEFAULT>
> > </Realm>
> >
> > Wed Jan 27 21:51:50 2010: ERR: Unknown object 'client' in /etc/radiator/Radd.cfg line 5
> > Wed Jan 27 21:51:50 2010: DEBUG: Finished reading configuration file '/etc/radiator/Radd.cfg'
> > Wed Jan 27 21:51:51 2010: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
> > Wed Jan 27 21:51:52 2010: DEBUG: Creating authentication port 0.0.0.0:1645
> > Wed Jan 27 21:51:52 2010: ERR: Could not bind authentication socket: Address already in use
> > Wed Jan 27 21:51:52 2010: DEBUG: Creating accounting port 0.0.0.0:1646
> > Wed Jan 27 21:51:52 2010: ERR: Could not bind accounting socket: Address already in use
> > Wed Jan 27 21:51:52 2010: NOTICE: Server started: Radiator 4.4 on radiator.tsa.com.au (LOCKED)
> >
> > My question….
> >
> > What modules do I need for AD auth and what is required in the config file for this to work?
> >
> > Im aware of the dictionary issue and that is soon to be resolved J
> >
> > Thanks in advance
> >
> > Corey
> >
> >
> >
> >
> >
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4812 (20100128) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4815 (20100128) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4815 (20100128) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4815 (20100128) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
More information about the radiator
mailing list