[RADIATOR] Authby LSA and groups not working (redux)

Johnson, Neil M neil-johnson at uiowa.edu
Fri Oct 1 17:03:27 CDT 2010 

In summary,

- User "nmjoo" is member of the group "ITS-WIRELESS-IOWA".
- Group "ITS-WIRELESS-IOWA" is a member of the group "ITS-WIRELESS"
- User "spong" is member of the group "ITS-WIRELESS"

Then

Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS", "spong") and AuthByLSA Succeeds
Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS-IOWA", "nmjoo") and AuthByLSA Succeeds 
Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS", "nmjoo") and AuthByLSA Fails

I created a bug (#61838) for the Win32::NetAdmin module on CPAN, but it could be tricky because you could create a loop with nested groups.

Thanks.

-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-johnson at uiowa.edu


> -----Original Message-----
> From: Johnson, Neil M
> Sent: Friday, October 01, 2010 12:42 PM
> To: Johnson, Neil M; Mike McCauley
> Cc: radiator at open.com.au
> Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Actually it's because we have nested groups in the Universal group.
> 
> If I use an account that it is in the base group list, it works, but if
> I use an account that it is in a group that is in the Universal group,
> it doesn't work.
> 
> Still the solution looks to having to do a LDAP lookup(s).
> 
> -Neil
> 
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-johnson at uiowa.edu
> 
> 
> > -----Original Message-----
> > From: Johnson, Neil M
> > Sent: Friday, October 01, 2010 10:02 AM
> > To: Johnson, Neil M; Mike McCauley
> > Cc: radiator at open.com.au
> > Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Okay,
> >
> > I think I may have found the issue.
> >
> > The group I'm trying to query is a Active Directory "Universal"
> Group.
> > If I query a "Global" group it works.
> >
> > It appears that Win32::NetAdmin does not support "Universal" Groups
> and
> > that the only solution is to perform an LDAP or ADSI query.
> >
> > -Neil
> >
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-johnson at uiowa.edu
> >
> >
> > > -----Original Message-----
> > > From: radiator-bounces at open.com.au [mailto:radiator-
> > > bounces at open.com.au] On Behalf Of Johnson, Neil M
> > > Sent: Friday, October 01, 2010 8:46 AM
> > > To: Mike McCauley
> > > Cc: radiator at open.com.au
> > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > >
> > > Mike,
> > >
> > > I'm running with my domain account (which has Administrator
> > privileges)
> > > on the server with the "Act as part of the operating system" flag
> > set.
> > >
> > > Authentication works as long as I don't use a "Group" Directive.
> > >
> > > I'm not sure how to proceed in debugging this.
> > >
> > > -Neil
> > >
> > >
> > > --
> > > Neil Johnson
> > > Network Engineer
> > > Information Technology Services
> > > The University of Iowa
> > > Work: 319 384-0938
> > > Mobile: 319 540-2081
> > > Fax: 319 355-2618
> > > E-mail: neil-johnson at uiowa.edu
> > >
> > >
> > > > -----Original Message-----
> > > > From: Mike McCauley [mailto:mikem at open.com.au]
> > > > Sent: Thursday, September 30, 2010 7:03 PM
> > > > To: Johnson, Neil M
> > > > Cc: radiator at open.com.au
> > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > > >
> > > > Hello Neil,
> > > >
> > > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > > > > No, I'm running it on a member server.
> > > > >
> > > > > Our AD administrators are very reluctant to run applications on
> > > PDC's
> > > > and
> > > > > BDC's. I can ask but I don't think I will get permission.
> > > > >
> > > > > Will it work on a BDC ?
> > > > >
> > > > > If not, do I have any other options ? Currently I'm using
> > Radiator
> > > to
> > > > proxy
> > > > > 802.1X requests to Juniper Steel-Belted Radius in order to re-
> > write
> > > > VLAN
> > > > > attributes. I was kind of hoping to eliminate SBR in part to
> > > simplify
> > > > > support for Eduroam.
> > > >
> > > > Tests here show that it works OK on any domain member provided
> that
> > > the
> > > > user
> > > > who is running the script is logged in to the domain.
> > > >
> > > > Cheers.
> > > >
> > > > >
> > > > > Thanks.
> > > > >
> > > > > -Neil
> > > > >
> > > > > --
> > > > > Neil Johnson
> > > > > Network Engineer
> > > > > Information Technology Services
> > > > > The University of Iowa
> > > > > Work: 319 384-0938
> > > > > Mobile: 319 540-2081
> > > > > Fax: 319 355-2618
> > > > > E-mail: neil-johnson at uiowa.edu
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: radiator-bounces at open.com.au [mailto:radiator-
> > > > bounces at open.com.au] On
> > > > > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010
> 9:22
> > PM
> > > > > To: radiator at open.com.au
> > > > > Subject: Re: [RADIATOR] Authby LSA and groups not working
> (redux)
> > > > >
> > > > > Hello Neil,
> > > > >
> > > > > tests here show that your script (suitably modified) works
> > provided
> > > > you run
> > > > > it on the PDC as the administrator.
> > > > >
> > > > > Is that how you are testing?
> > > > >
> > > > > Cheers.
> > > > >
> > > > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M
> wrote:
> > > > > > I whipped up a script based on what I could find in the
> source
> > > code
> > > > to
> > > > > > test group membership and it doesn't seem to matter if the
> > group
> > > is
> > > > local
> > > > > > or global, it can't find it:
> > > > > >
> > > > > > #!c:\perl64\bin\perl.exe
> > > > > >
> > > > > > use strict;
> > > > > > use Win32::NetAdmin;
> > > > > >
> > > > > > my $User = "nmjoo";
> > > > > > my $Group = "ITS-WIRELESS";
> > > > > > my $Domain = "IOWA";
> > > > > > my $Server = "";
> > > > > >
> > > > > > print "Getting Domain Controller\n";
> > > > > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> > > > > > print "Domain Controller for Domain $Domain is $Server\n";
> > > > > >
> > > > > > print "Checking to see if user: $User is member of Group:
> > > > $Group\n";
> > > > > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
> > > > > >
> > > > > >                 ||
> Win32::NetAdmin::LocalGroupIsMember($Server,
> > > > $Group,
> > > > > >                 || $User)) {
> > > > > >
> > > > > >                 print "$User is Member of group $Group";
> > > > > > }
> > > > > > else {
> > > > > >                 print "$User is not Member of group $Group";
> > > > > > }
> > > > > >
> > > > > > Output:
> > > > > >
> > > > > > C:\Program Files\Radiator>test2.pl
> > > > > > Getting Domain Controller
> > > > > > Domain Controller for Domain IOWA is \\IOWADC1
> > > > > > Checking to see if user: nmjoo is member of Group: ITS-
> WIRELESS
> > > > > > nmjoo is not Member of group ITS-WIRELESS
> > > > > > C:\Program Files\Radiator>
> > > > > > --
> > > > > > Neil Johnson
> > > > > > Network Engineer
> > > > > > Information Technology Services
> > > > > > The University of Iowa
> > > > > > Work: 319 384-0938
> > > > > > Mobile: 319 540-2081
> > > > > > Fax: 319 355-2618
> > > > > > E-mail: neil-johnson at uiowa.edu
> > > >
> > > >
> > > >
> > > > --
> > > > Mike McCauley                               mikem at open.com.au
> > > > Open System Consultants Pty. Ltd
> > > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > > > http://www.open.com.au
> > > > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> > > >
> > > > Radiator: the most portable, flexible and configurable RADIUS
> > server
> > > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
> > Emerald,
> > > > Platypus, Freeside, TACACS+, PAM, external, Active Directory,
> EAP,
> > > TLS,
> > > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > > > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> > > > NetWare etc.
> > > _______________________________________________
> > > radiator mailing list
> > > radiator at open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list