[RADIATOR] eap auth against active directory

James jtp at nc.rr.com
Wed Oct 17 20:37:45 CDT 2012


Hugh,

Looks like my logging configuration may have been incorrect. Let me
keep tinkering with it and if I can't figure it out I'll start a new
thread.

Unfortunately because of the issues that host authentication is
causing we've had to move over to an NTLM-based authentication
configuration for now. Do you know of a way to create a fake
machine-authentication scenario so that I can test Radiator and then
get you a Trace 4? I can't figure out a way to mimic a machine-auth
request using either radpwtst or eapol_test.

Thoughts?

Thanks!
-james


On Wed, Oct 17, 2012 at 8:59 PM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello James -
>
> As long as the User-Name contains "host/.…." this Handler should be called provided another Handler doesn't catch it.
>
> Without seeing the debug and the corresponding configuration file I can't really say much else.
>
> If you have "Trace 4" in your configuration file you will see the debug in the log file. What exactly do you want to log?
>
> regards
>
> Hugh
>
>
> On 18 Oct 2012, at 11:10, James Zee <jameszee13 at gmail.com> wrote:
>
>> Hugh,
>>
>> Yes, that is correct. This capture was taken before the change (second link that contains configuration in m previous post). Now I have this handler:
>>
>>
>> <Handler User-Name=/^host\//>
>>     <AuthBy RADIUS>
>>         Host 10.136.234.80
>>         Secret mysecret
>>         AuthPort 1812
>>         AcctPort 1813
>>     </AuthBy>
>> </Handler>
>>
>>
>> The Trace 4 shows that the RADIUS request is being proxied. NPS is still sending an ACCESS-REJECT, though.
>>
>> Is the handler configuration above appropriate for NPS / machine-authentication? Also, is there a way to log RADIUS requests that hit this handler? No matter what log directives I put in the handler, Radiator doesn't seem to log anything and simply sends the RADIUS request to NPS without touching it / logging.
>>
>> Thoughts?
>>
>> Thanks!
>> -james
>>
>>
>>
>> On Wed, Oct 17, 2012 at 6:39 PM, Hugh Irvine <hugh at open.com.au> wrote:
>>
>> Hello James -
>>
>> The problem is here:
>>
>>
>>         • Mon Oct 15 01:20:47 2012 564812: DEBUG: Packet dump:
>>         • *** Received from 10.136.235.240 port 32768 ....
>>         • Code:       Access-Request
>>         • Identifier: 47
>>         • Authentic:  %wa<14><212>v<209>S<143>a<132>z<21><194>5`
>>         • Attributes:
>>
>>         •     User-Name = "/DLAR-PBBZNB8.some.tld"
>>
>>
>> The User-Name attribute does not have "host" at the beginning, so you never use the host-specific Handler.
>>
>> What is happening in the debug is this inner authentication is being converted and only the MS-CHAP is being proxied, leading to the problem I have described previously with NPS thinking this is a user not a machine.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 18 Oct 2012, at 05:05, James Zee <jameszee13 at gmail.com> wrote:
>>
>> > Hugh,
>> >
>> > I had previously responded to the thread with the requested information, but the email response was too large and seems to have gotten lost in the mailing list approval process.
>> >
>> > I've pasted the requested information here:
>> >
>> > http://pastebin.com/rbXq2Y5Y
>> >
>> > It's worth noting I've made some progress. The link below has the requested information (new configuration file) where a username beginning with "host" is immediately proxied to NPS.
>> >
>> > http://pastebin.com/059A7Zk7
>> >
>> > I feel I'm getting closer.
>> >
>> > Two questions:
>> >
>> > (a) is anything wrong with this machine authentication handler or does it look like the correct way to proxy these sorts of requests?
>> >
>> > (b) is there a way to force Radiator to log information about the RADIUS request even though we're proxying it via RADIUS to NPS?
>> >
>> > I'm still not having luck with machine-based authentication, but I believe this may be a configuration issue on NPS.
>> >
>> > Thoughts appreciated.
>> >
>> > Thanks!
>> > -james
>> > _______________________________________________
>> > radiator mailing list
>> > radiator at open.com.au
>> > http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> --
>>
>> Hugh Irvine
>> hugh at open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list