[RADIATOR] Radiator/TACACS+ via ADSI

Kim, Steve steve.kim at davispolk.com
Wed Nov 9 09:37:14 CST 2011


Hugh,

Thanks for your response.
I have tried LSA with following config and it did not work.

<AuthBy LSA>
		Identifier LSA
		Domain xxx.xxx.xxx
		Group networking_staff
		UsernameMatchesWithoutRealm
		EAPType MSCHAP-V2
</AuthBy>

It generated following error:

Wed Nov  9 10:29:32 2011: DEBUG:  Deleting session for stevekim, 127.0.0.1,
Wed Nov  9 10:29:32 2011: DEBUG: Handling with Radius::AuthLSA: LSA
Wed Nov  9 10:29:32 2011: DEBUG: Radius::AuthLSA looks for match with stevekim [
stevekim]
Wed Nov  9 10:29:32 2011: WARNING: Could not LogonUserNetworkPAP: The handle is
invalid.

Wed Nov  9 10:29:32 2011: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA Password che
ck failed: stevekim [stevekim]
Wed Nov  9 10:29:32 2011: DEBUG: AuthBy LSA result: REJECT, AuthBy LSA Password
check failed
Wed Nov  9 10:29:32 2011: INFO: Access rejected for stevekim: AuthBy LSA Passwor
d check failed
Wed Nov  9 10:29:32 2011: DEBUG: Packet dump:

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Tuesday, November 08, 2011 3:00 PM
To: Kim, Steve
Cc: 'radiator at open.com.au'
Subject: Re: [RADIATOR] Radiator/TACACS+ via ADSI


Hi Steve -

I suggest you use the AuthBy LSA clause as it is more flexible, and you can do the Group check directly with it.

To see what is happening for debugging it is simplest to run radiusd by hand in a terminal window like this so you see the debug log:

	cd /your/Radiator/distribution

	perl radiusd -foreground -log_stdout -trace 4 -config_file /your/Radiator/configuration/file

	.....

regards

Hugh



On 9 Nov 2011, at 05:28, Kim, Steve wrote:

> Hi experts,
>  
> I'm testing Radiator/TACACS+ via authentication from AD with ADSI.
> I'd like to accomplish that a group member in AD only can authenticated.
> Can someone take a look following config and see if there is(are) any error(s)?
>  
> Thanks in advance.
>  
> So, here is my radius.cfg where I need your expertise.
>  
> <AuthBy ADSI>
>           
>            Identifier ADSI
>           
>            BindString  LDAP://ou=Users,ou=xxx Users,dc=xx,dc=xx,dc=xx
>             AuthUser %0
>             AuthFlags 1
> </AuthBy >
>  
> <ServerTACACSPLUS >
>              AddToRequest NAS-Identifier=TACACS
>      
>              GroupMemberAttr tacacsGroup
>             
>              AuthorizationTimeout 600
>             
>       BindAddress 0.0.0.0
>       GroupCacheFile %L/radiator-tacacs-usergroup.cache
>       IdleTimeout 180
>       MaxBufferSize 100000
>       PasswordPrompt Password:
>       Port 49
>       SingleSession 1
>       UsernamePrompt Username:
>  
>       <Log FILE>
>             Filename %L/logfile-tacacs
>             Trace 4
>       </Log>
> </ServerTACACSPLUS>
>  
> <Handler NAS-Identifier=TACACS>
>         <AuthBy FILE>
>             Filename %D/users.groups
>         </AuthBy>
>             AcctLogFileName %D/detail
> </Handler>
>  
> Here is users.groups:
>  
> DEFAULT Auth-Type=ADSI, Group="networking_staff"
>  
>  
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list