[RADIATOR] Authby LSA and groups not working (redux)

Johnson, Neil M neil-johnson at uiowa.edu
Fri Oct 1 08:34:32 CDT 2010 

Mark,

Thanks for the tip, I can get AuthbyLSA to work for me unless I try to test for Group Membership which I need to do in order to assign users to a specific VLAN.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-johnson at uiowa.edu


> -----Original Message-----
> From: Pearson, Mark [mailto:mark.pearson at ntu.ac.uk]
> Sent: Friday, October 01, 2010 4:13 AM
> To: Mike McCauley; Johnson, Neil M
> Cc: radiator at open.com.au
> Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Hi, I have it working by running Radiator on a server in the domain.
> Note that you need 4.7 to use the magic bit
> UsernameMatchesWithoutRealm.
> Nothing is needed on the actual DCs regarding Radiator in our case.
> 
> <Handler TunnelledByPEAP=1>
>  <AuthBy LSA>
> ### The next line strips the @realm portion to allow AD to authenticate
> against it
>   UsernameMatchesWithoutRealm
>   EAPType MSCHAP-V2
>  </AuthBy>
> </Handler>
> 
> ### This is the outer request where username at ntu.ac.uk are captured
> 
> <Handler Realm=somewhere.ac.uk>
>  <AuthBy FILE>
>   Filename %D/users
> 
> ### This tells the PEAP client what types of inner EAP requests we will
> honour
>   EAPType PEAP, TTLS
>   EAPTLS_CAFile %D/certificates/terenasslca.pem
>   EAPTLS_CertificateFile %D/certificates/final-cert.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile %D/certificates/mykey.pem
>   EAPTLS_PrivateKeyPassword
>   EAPTLS_MaxFragmentSize 1000
>   AutoMPPEKeys
>   SSLeayTrace 4
>   EAPTLS_PEAPVersion 0
> 
> ### Added EAPAnonymous %{User-Name} to the outer AuthBy
> ### This will send the outer username  as the inner username
> ### (instead of "anonymous")
> 
>   EAPAnonymous %{User-Name}
> 
>  </AuthBy>
> </Handler>
> 
> 
> regards
> Mark Pearson
> Senior Technical Support Analyst
> Information Systems
> Nottingham Trent University
> 
> tel: 0115 8488287
> 
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-
> bounces at open.com.au]
> On Behalf Of Mike McCauley
> Sent: 01 October 2010 01:03
> To: Johnson, Neil M
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Hello Neil,
> 
> On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > No, I'm running it on a member server.
> >
> > Our AD administrators are very reluctant to run applications on PDC's
> > and BDC's. I can ask but I don't think I will get permission.
> >
> > Will it work on a BDC ?
> >
> > If not, do I have any other options ? Currently I'm using Radiator to
> > proxy 802.1X requests to Juniper Steel-Belted Radius in order to
> > re-write VLAN attributes. I was kind of hoping to eliminate SBR in
> > part to simplify support for Eduroam.
> 
> Tests here show that it works OK on any domain member provided that the
> user who is running the script is logged in to the domain.
> 
> Cheers.
> 
> >
> > Thanks.
> >
> > -Neil
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-johnson at uiowa.edu
> >
> >
> > -----Original Message-----
> > From: radiator-bounces at open.com.au
> > [mailto:radiator-bounces at open.com.au] On Behalf Of Mike McCauley
> Sent:
> 
> > Wednesday, September 29, 2010 9:22 PM
> > To: radiator at open.com.au
> > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Hello Neil,
> >
> > tests here show that your script (suitably modified) works provided
> > you run it on the PDC as the administrator.
> >
> > Is that how you are testing?
> >
> > Cheers.
> >
> > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > > I whipped up a script based on what I could find in the source code
> > > to test group membership and it doesn't seem to matter if the group
> > > is local or global, it can't find it:
> > >
> > > #!c:\perl64\bin\perl.exe
> > >
> > > use strict;
> > > use Win32::NetAdmin;
> > >
> > > my $User = "nmjoo";
> > > my $Group = "ITS-WIRELESS";
> > > my $Domain = "IOWA";
> > > my $Server = "";
> > >
> > > print "Getting Domain Controller\n";
> > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print
> > > "Domain Controller for Domain $Domain is $Server\n";
> > >
> > > print "Checking to see if user: $User is member of Group:
> $Group\n";
> 
> > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
> > >
> > >                 || Win32::NetAdmin::LocalGroupIsMember($Server,
> $Group,
> > >                 || $User)) {
> > >
> > >                 print "$User is Member of group $Group"; } else {
> > >                 print "$User is not Member of group $Group"; }
> > >
> > > Output:
> > >
> > > C:\Program Files\Radiator>test2.pl
> > > Getting Domain Controller
> > > Domain Controller for Domain IOWA is \\IOWADC1
> > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> > > nmjoo is not Member of group ITS-WIRELESS
> > > C:\Program Files\Radiator>
> > > --
> > > Neil Johnson
> > > Network Engineer
> > > Information Technology Services
> > > The University of Iowa
> > > Work: 319 384-0938
> > > Mobile: 319 540-2081
> > > Fax: 319 355-2618
> > > E-mail: neil-johnson at uiowa.edu
> 
> 
> 
> --
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> This email is intended solely for the addressee.  It may contain
> private and confidential information.  If you are not the intended
> addressee, please take no action based on it nor show a copy to anyone.
> In this case, please reply to this email to highlight the error.
> Opinions and information in this email that do not relate to the
> official business of Nottingham Trent University shall be understood as
> neither given nor endorsed by the University.
> Nottingham Trent University has taken steps to ensure that this email
> and any attachments are virus-free, but we do advise that the recipient
> should check that the email and its attachments are actually virus
> free.  This is in keeping with good computing practice.
>

More information about the radiator mailing list