[RADIATOR] eap auth against active directory

Hugh Irvine hugh at open.com.au
Wed Oct 17 19:59:45 CDT 2012


Hello James -

As long as the User-Name contains "host/.…." this Handler should be called provided another Handler doesn't catch it.

Without seeing the debug and the corresponding configuration file I can't really say much else.

If you have "Trace 4" in your configuration file you will see the debug in the log file. What exactly do you want to log?

regards

Hugh


On 18 Oct 2012, at 11:10, James Zee <jameszee13 at gmail.com> wrote:

> Hugh,
> 
> Yes, that is correct. This capture was taken before the change (second link that contains configuration in m previous post). Now I have this handler:
> 
> 
> <Handler User-Name=/^host\//>
>     <AuthBy RADIUS>
>         Host 10.136.234.80
>         Secret mysecret
>         AuthPort 1812
>         AcctPort 1813
>     </AuthBy>
> </Handler>
>  
> 
> The Trace 4 shows that the RADIUS request is being proxied. NPS is still sending an ACCESS-REJECT, though.
> 
> Is the handler configuration above appropriate for NPS / machine-authentication? Also, is there a way to log RADIUS requests that hit this handler? No matter what log directives I put in the handler, Radiator doesn't seem to log anything and simply sends the RADIUS request to NPS without touching it / logging.
> 
> Thoughts?
> 
> Thanks!
> -james
> 
> 
> 
> On Wed, Oct 17, 2012 at 6:39 PM, Hugh Irvine <hugh at open.com.au> wrote:
> 
> Hello James -
> 
> The problem is here:
> 
> 
>         • Mon Oct 15 01:20:47 2012 564812: DEBUG: Packet dump:
>         • *** Received from 10.136.235.240 port 32768 ....
>         • Code:       Access-Request
>         • Identifier: 47
>         • Authentic:  %wa<14><212>v<209>S<143>a<132>z<21><194>5`
>         • Attributes:
> 
>         •     User-Name = "/DLAR-PBBZNB8.some.tld"
> 
> 
> The User-Name attribute does not have "host" at the beginning, so you never use the host-specific Handler.
> 
> What is happening in the debug is this inner authentication is being converted and only the MS-CHAP is being proxied, leading to the problem I have described previously with NPS thinking this is a user not a machine.
> 
> regards
> 
> Hugh
> 
> 
> On 18 Oct 2012, at 05:05, James Zee <jameszee13 at gmail.com> wrote:
> 
> > Hugh,
> >
> > I had previously responded to the thread with the requested information, but the email response was too large and seems to have gotten lost in the mailing list approval process.
> >
> > I've pasted the requested information here:
> >
> > http://pastebin.com/rbXq2Y5Y
> >
> > It's worth noting I've made some progress. The link below has the requested information (new configuration file) where a username beginning with "host" is immediately proxied to NPS.
> >
> > http://pastebin.com/059A7Zk7
> >
> > I feel I'm getting closer.
> >
> > Two questions:
> >
> > (a) is anything wrong with this machine authentication handler or does it look like the correct way to proxy these sorts of requests?
> >
> > (b) is there a way to force Radiator to log information about the RADIUS request even though we're proxying it via RADIUS to NPS?
> >
> > I'm still not having luck with machine-based authentication, but I believe this may be a configuration issue on NPS.
> >
> > Thoughts appreciated.
> >
> > Thanks!
> > -james
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> hugh at open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list