[RADIATOR] Radiator evaluation-Authenticate and Authorize LDAP users using SASL EXTERNAL bind to network switch
Pramod Kulkarni
pramod.kulkarni at in.abb.com
Tue Apr 30 01:38:53 CDT 2013
Hello,
I wanted to know how do u do SASL EXTERNAL binding for LDAP server through
radiator for a network switch
I have added the SSLclient ceritificate and SSLCA certificate in radiator
path.
Below are the further details of the radiator configurations
radius.cfg
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
# Authenticate all realms with this
# Authenticate all realms with this
<Realm DEFAULT>
<AuthBy LDAP2>
# Tell Radiator how to talk to the LDAP server
Host localhost
# Tell the LDAP server to authenticate the LDAP bind
# with SASL:
UseSASL
# When you are using SASL authentication to connect to
# the LDAP server, Radiator will
# use AuthDN and AuthPassword to authenticate using
# SASL instead of the default simple authentication.
# In this example, we have
# configured a SASL user called mikem into the SASL
# user database using saslpasswd2. In order for
# openldap to map the SASL user 'mikem' to the same
# priveleges as the LDAP manager (and hence have
# access to protected password fields etc), you would need
# something like this in your OpenLDAP configuration
# (typically /etc/openldap/slapd.conf):
#AuthDN uid=admin,ou=Users,dc=vmbox,dc=int
#AuthPassword admin
# You can also control which SASL mechanisms are
# acceptable for SASL authentication. SASLMechanism is
# a space separated list of mechanism names supported
# by Authen::SASL, such as ANONYMOUS CRAM-MD5
# DIGEST-MD5 EXTERNAL LOGIN PLAIN.
# Defaults to DIGEST-MD5. If you change this you may
# need to change your SASL->LDAP user mapping
SASLMechanism EXTERNAL
# This the top of the search tree where users
# will be found. It should match the configuration
# of your server, see /etc/openldap/slapd.conf
BaseDN dc=vmbox, dc=int
# This is the LDAP attribute to match the radius user name
UsernameAttr cn
# If you dont specify ServerChecksPassword, you
# need to tell Radiator which attribute in the LDAP
# database contains
# the users correct password. It can be plaintext or
encrypted
PasswordAttr userPassword
# This tells AuthBy LDAP2 not to check the users password,
# ie that LDAP is just used to store check or reply items
# and the authentication happens elsewhere
# Requires latest patches to Radiator 3.11
#NoCheckPassword
# On some (most?) LDAP servers, you can tell AuthBy
# LDAP to keep the connection to the server up for as
# long as possible, and not close it after each
# authentication. This can improve performance,
# especially where UseTLS or USeSSL are in
# operation. Not all server can support this, so if you
# enable it and things dont work right: disable it
# again.
HoldServerConnection
# You can use CheckAttr, ReplyAttr and AuthAttrDef
# to specify check and reply attributes in the LDAP
# database. See the reference manual for more
# information
#AuthAttrDef ipaddress,Framed-IP-Address,reply
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
# You can enable debugging of the Net::LDAP
# module with this, which will dump LDAP requests
# sent to and from the LDAP server
Debug 255
# With LDAP2 and perl-ldap 0.22 and better on Unix/Linux,
You can enable SSL or TLS.
# See
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
# for assistance on how to generate certificates and
# configure openldap for SSL and/or TLS
# To use SSL, set these
#UseSSL
#SSLCAClientCert C:/Program
Files/Radiator/ldapcertificates/admin.pem
#SSLCAClientKey C:/Program
Files/Radiator/ldapcertificates/admin.pem
# and one of
#SSLCAFile C:/Program
Files/Radiator/ldapcertificates/demoCA/cacert.pem
# SSLCAPath /path/to/file/containing/certificate/of/CA
# (certificates must be in PEM format)
# To use TLS, set these
UseTLS
SSLVerify optional
SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt
SSLCAClientKey C:/Radiator/ldapcertificates/admin.key
# and one of
SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem
#SSLCAPath C:/Program Files/Radiator/ldapcertificates/
# (certificates must be in PEM format)
# These set the corresponding parameters in the
# LDAPS connection (see perl-ldap docs)
# Requires IO::Socket::SSL, Net::SSLeay and openssl
# You can control the timout for connection failure,
# plus the backoff time after failure. Timout defaults
# to 10 secs and FailureBackoffTime to 10 mins
#Timeout 2
# FailureBackoffTime 10
# With PostSearchHook you can do your own processing
# of the LDAP data.
# Arg 0 is the AuthBy LDAP object
# Arg 1 is the user name being authenticated
# Arg 2 is the received request packet
# Arg 3 is the user object holding check and reply
# items for this user
# Arg 4 is the search results handle, whose type
# depends on whether its LDAP, LDAP2, or LDAPSDK
#PostSearchHook sub {print "PostSearchHook @_\n";\
# my $attr = $_[4]->get('someldapattr');\
# print "get attribute $attr\n";}
# You can control the LDAP protocol version to be used
# to talk to the LDAP server. OpenLDAP 2 requires
# Version 3 unless you have 'allow bind_v2' in your
# slapd.conf. Defaults to version 2
Version 3
# You can specify the maximum number of LDAP records
# that match the search that will be used for
# check and reply items. Only the first will be
# used for ServerChecksPasssword. Defaults to 1
#MaxRecords 2
</AuthBy>
</Realm>
I used radpwtst for authenticating a user tina of LDAP server .
C:\Perl\bin>perl radpwtst -user tina -password turner -framed_ip_address
127.0.0
.1 -nas_identifier 127.0.0.1 -nas_ip_address 127.0.0.1
I would like to check a user in LDAP server using SASL bind with admin
certificate basically a external bind mechanism.
My log file is throwing error
Tue Apr 30 11:48:15 2013: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Tue Apr 30 11:48:15 2013: DEBUG: Deleting session for tina, 127.0.0.1,
1234
Tue Apr 30 11:48:15 2013: DEBUG: Handling with Radius::AuthLDAP2:
Tue Apr 30 11:48:15 2013: INFO: Connecting to localhost:389
Tue Apr 30 11:48:15 2013: DEBUG: Starting TLS
Tue Apr 30 11:48:16 2013: ERR: StartTLS failed: SSL connect attempt failed
with unknown errorerror:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 30 11:48:16 2013: ERR: Could not open LDAP connection to
localhost:389. Backing off for 600 seconds.
Tue Apr 30 11:48:16 2013: DEBUG: AuthBy LDAP2 result: IGNORE, User
database access error
Tue Apr 30 11:48:20 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50487 ....
Code: Accounting-Request
Identifier: 91
Authentic: <238><255><164>.<208><21>G<212>dhd<215><225>c<165><7>
Attributes:
User-Name = "tina"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "127.0.0.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Framed-IP-Address = 127.0.0.1
Acct-Delay-Time = 0
Tue Apr 30 11:48:20 2013: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Tue Apr 30 11:48:20 2013: DEBUG: Adding session for tina, 127.0.0.1, 1234
Tue Apr 30 11:48:20 2013: DEBUG: Handling with Radius::AuthLDAP2:
Tue Apr 30 11:48:20 2013: DEBUG: AuthBy LDAP2 result: ACCEPT,
Tue Apr 30 11:48:20 2013: DEBUG: Accounting accepted
Tue Apr 30 11:48:20 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50487 ....
if I disable the TLS,then restart radiator throws SASL mechanism not
supported error (-4)
Let me know if I can configure the switch as mentioned above through
Radiator if possible provide a specific example .
waiting for your inputs.
Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road Block 1
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulkarni at in.abb.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130430/a668ad57/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 486 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130430/a668ad57/attachment-0001.gif
More information about the radiator
mailing list