[RADIATOR] Windows AD authentication with radius

Hugh Irvine hugh at open.com.au
Thu Jan 28 19:40:38 CST 2010 

Hello Corey -

You have some typos in the configuration file.

You should have:

DbDir /etc/radiator

And the parameters in the AuthBy clauses are case sensitive.

The messages in the log show you what the problems are.

regards

Hugh


On 29 Jan 2010, at 11:58, Corey Gray wrote:

> Sorry I posted the wrong configuration file.. The correct file is below
> 
> LogDir  /var/log/radius
> Dir   /etc/radiator
> 
> Trace   5
> #Trace  3
> <Client 192.168.xxx.xxx >
>      Secret mysecretpasswordhere
> </Client>
> # requests will be processed here
> # define Realm(s) or Handler(s)
> <Handler>
>      # use AuthBy LDAP2 for AD
>      <AuthBy NTLM>
>                #always connect to one of TSA AU server
>                host kermit beaker
>                #Connect Via SSL port
>                Port 636
>                #Authenticate Radius Server
>                AuthDN Radiator_Username
>                    AuthPassword Radiator_Password
>                #Start search Here
>                BaseDN ou=_TSA,ou=Users
>                #Use UID to match names
>                UsernameAttr uid
>                PasswordAttr
> 
>      </AuthBy>
> </Handler>
> 
> Regards
> 
> Corey
> 
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Corey Gray
> Sent: Friday, 29 January 2010 10:51 AM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] Windows AD authentication with radius
> 
> I have done as suggested and it seems I am running into more problems. Here is a Trace 5
> 
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'Dir' in /etc/radiator/radius.cfg line 2
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'host' in /etc/radiator/radius.cfg line 15
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'Port' in /etc/radiator/radius.cfg line 17
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'AuthDN' in /etc/radiator/radius.cfg line 19
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'AuthPassword' in /etc/radiator/radius.cfg line 20
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'BaseDN' in /etc/radiator/radius.cfg line 22
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'UsernameAttr' in /etc/radiator/radius.cfg line 24
> Fri Jan 29 10:48:00 2010: ERR: Unknown keyword 'PasswordAttr' in /etc/radiator/radius.cfg line 25
> Fri Jan 29 10:48:00 2010: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
> Fri Jan 29 10:48:00 2010: DEBUG: Reading dictionary file '/usr/local/etc/raddb/dictionary'
> Fri Jan 29 10:48:01 2010: NOTICE: Server started: Radiator 4.5.1 on Radiator (LOCKED)
> 
> 
> It seems that it is reading the dictionary after the config file and therefore doesn’t recognize and of the config settings
> 
> Here is my radius.cfg
> 
> LogDir  /var/log/radius
> Dir   /etc/radiator
> DictionaryFile %D/dictionary
> Trace   5
> #Trace  3
> <Client 192.168.XX.XX >
>      Secret mysecret
> </Client>
> # requests will be processed here
> # define Realm(s) or Handler(s)
> <Handler>
>      # use AuthBy NTLM for AD
>      <AuthBy NTLM>
>        Domain TSA
>        Default Domain TSA
>        NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>      </AuthBy>
> </Handler>
> 
> Im assuming client is my access points IP?
> 
> Any help is greatly appreciated
> 
> Regards
> 
> Corey
> 
> 
> 
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Alexander Hartmaier
> Sent: Thursday, 28 January 2010 6:55 PM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] Windows AD authentication with radius
> 
> I'd suggest to use AuthBy LDAP2 to be able to limit the allowed users to
> groups or other user attributes (like not-locked, ...).
> 
> --
> Best regards, Alex
> 
> 
> Am Donnerstag, den 28.01.2010, 01:23 +0100 schrieb Hugh Irvine:
>> Hello Corey -
>> 
>> There are typos in your configuration file for the <Client ...> - and you should probably use AuthBy NTLM.
>> 
>> The configuration file should look more like this:
>> 
>> .....
>> 
>> # the Client clause(s) list the devices from which we will accept RADIUS requests
>> 
>> <Client 1.1.1.1>
>>      Secret somesecret
>>      .....
>> </Client>
>> 
>> # requests will be processed here
>> # define Realm(s) or Handler(s)
>> 
>> <Handler>
>>      # use AuthBy NTLM for AD
>>      <AuthBy NTLM>
>>              .....
>>      </AuthBy>
>> </Handler>
>> 
>> 
>> There is also already some process using ports 1645 and 1646 which you will need to terminate before you can run Radiator on these ports.
>> 
>> See section 5.65 in the Radiator 4.5.1 reference manual ("doc/ref.pdf") and the example configuration file in "goodies/ntlm.cfg" and "goodies/ntlm_eap_*.cfg".
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> 
>> On 28 Jan 2010, at 09:43, Corey Gray wrote:
>> 
>>> Hi,
>>>   I have just been asked to test radiator to secure our wireless network. The requirement is to authenticate users from AD using there common name. I have tried to configure this in the config file but am having a bit of trouble getting radiator to parse the file correctly (im sure my file is inconsistent with radiators requirements) config details
>>> 
>>> 
>>> Platform RHEL 5.3
>>> Radiator 4.4
>>> 
>>> LogDir  /var/log/radius
>>> DbDir   /etc/radiator
>>> Trace   4
>>> 
>>> <client DEFAULT>
>>>        <AuthBy ADSI>
>>>                BindString LDAP://cn=%0,cn=users,dc=tsa,dc=com,dc=au
>>>                AuthUser cn=%0,cn=users,dc=tsa,dc=com,dc=au
>>>                AuthFlags 0
>>>        </AuthBy>
>>>                secret  testpass
>>>                DupInterval 0
>>> <Realm tsa.com.au>
>>> 
>>> </Realm>
>>> <Realm DEFAULT>
>>> </Realm>
>>> 
>>> Wed Jan 27 21:51:50 2010: ERR: Unknown object 'client' in /etc/radiator/Radd.cfg line 5
>>> Wed Jan 27 21:51:50 2010: DEBUG: Finished reading configuration file '/etc/radiator/Radd.cfg'
>>> Wed Jan 27 21:51:51 2010: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
>>> Wed Jan 27 21:51:52 2010: DEBUG: Creating authentication port 0.0.0.0:1645
>>> Wed Jan 27 21:51:52 2010: ERR: Could not bind authentication socket: Address already in use
>>> Wed Jan 27 21:51:52 2010: DEBUG: Creating accounting port 0.0.0.0:1646
>>> Wed Jan 27 21:51:52 2010: ERR: Could not bind accounting socket: Address already in use
>>> Wed Jan 27 21:51:52 2010: NOTICE: Server started: Radiator 4.4 on radiator.tsa.com.au (LOCKED)
>>> 
>>> My question….
>>> 
>>> What modules do I need for AD auth and what is required in the config file for this to work?
>>> 
>>> Im aware of the dictionary issue and that is soon to be resolved J
>>> 
>>> Thanks in advance
>>> 
>>> Corey
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __________
>>> 
>>> The message was checked by ESET NOD32 Antivirus.
>>> 
>>> http://www.eset.com
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB:
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> 
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4812 (20100128) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4815 (20100128) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4815 (20100128) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4815 (20100128) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list