[RADIATOR] eap auth against active directory

James Zee jameszee13 at gmail.com
Wed Oct 17 19:10:46 CDT 2012


Hugh,

Yes, that is correct. This capture was taken before the change (second link
that contains configuration in m previous post). Now I have this handler:


<Handler User-Name=/^host\//>
    <AuthBy RADIUS>
        Host 10.136.234.80
        Secret mysecret
        AuthPort 1812
        AcctPort 1813
    </AuthBy>
</Handler>


The Trace 4 shows that the RADIUS request is being proxied. NPS is still
sending an ACCESS-REJECT, though.

Is the handler configuration above appropriate for NPS /
machine-authentication? Also, is there a way to log RADIUS requests that
hit this handler? No matter what log directives I put in the handler,
Radiator doesn't seem to log anything and simply sends the RADIUS request
to NPS without touching it / logging.

Thoughts?

Thanks!
-james



On Wed, Oct 17, 2012 at 6:39 PM, Hugh Irvine <hugh at open.com.au> wrote:

>
> Hello James -
>
> The problem is here:
>
>
>         • Mon Oct 15 01:20:47 2012 564812: DEBUG: Packet dump:
>         • *** Received from 10.136.235.240 port 32768 ....
>         • Code:       Access-Request
>         • Identifier: 47
>         • Authentic:  %wa<14><212>v<209>S<143>a<132>z<21><194>5`
>         • Attributes:
>
>         •     User-Name = "/DLAR-PBBZNB8.some.tld"
>
>
> The User-Name attribute does not have "host" at the beginning, so you
> never use the host-specific Handler.
>
> What is happening in the debug is this inner authentication is being
> converted and only the MS-CHAP is being proxied, leading to the problem I
> have described previously with NPS thinking this is a user not a machine.
>
> regards
>
> Hugh
>
>
> On 18 Oct 2012, at 05:05, James Zee <jameszee13 at gmail.com> wrote:
>
> > Hugh,
> >
> > I had previously responded to the thread with the requested information,
> but the email response was too large and seems to have gotten lost in the
> mailing list approval process.
> >
> > I've pasted the requested information here:
> >
> > http://pastebin.com/rbXq2Y5Y
> >
> > It's worth noting I've made some progress. The link below has the
> requested information (new configuration file) where a username beginning
> with "host" is immediately proxied to NPS.
> >
> > http://pastebin.com/059A7Zk7
> >
> > I feel I'm getting closer.
> >
> > Two questions:
> >
> > (a) is anything wrong with this machine authentication handler or does
> it look like the correct way to proxy these sorts of requests?
> >
> > (b) is there a way to force Radiator to log information about the RADIUS
> request even though we're proxying it via RADIUS to NPS?
> >
> > I'm still not having luck with machine-based authentication, but I
> believe this may be a configuration issue on NPS.
> >
> > Thoughts appreciated.
> >
> > Thanks!
> > -james
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20121017/381a5f01/attachment.html 


More information about the radiator mailing list