[RADIATOR] Radiator evaluation-Authenticate and Authorize LDAP users using SASL EXTERNAL bind to network switch

Pramod Kulkarni pramod.kulkarni at in.abb.com
Tue Apr 30 02:40:56 CDT 2013


Thanks for the reply,

I have used CA-file from the certificate hierarchy,
I have my own cacert.pem I have not used the radiator cacert.pem through 
this cacert.pem I generated the admin.crt and admin.key file.
This cacert.pem is used to start LDAP server and also radius server to 
authenticate the LDAP users.

waiting for your inputs.

Regards


Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road Block 1
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulkarni at in.abb.com




From:   Pramod Kulkarni/INCRC/ABB
To:     Sami Keski-Kasari <samikk at open.com.au>
Date:   04/30/2013 01:03 PM
Subject:        Re: [RADIATOR] Radiator evaluation-Authenticate and 
Authorize LDAP users using SASL EXTERNAL bind to network switch


Thanks for the reply,

I have used CA-file from the certificate hierarchy,
I have my own cacert.pem I have not used the radiator cacert.pem through 
this cacert.pem I generated the admin.crt and admin.key file.
This cacert.pem is used to start LDAP server and also radius server to 
authenticate the LDAP users.

waiting for your inputs.

Regards




Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road Block 1
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulkarni at in.abb.com





From:   Sami Keski-Kasari <samikk at open.com.au>
To:     Pramod Kulkarni/INCRC/ABB at ABB
Cc:     radiator at open.com.au
Date:   04/30/2013 12:46 PM
Subject:        Re: [RADIATOR] Radiator evaluation-Authenticate and 
Authorize LDAP users using SASL EXTERNAL bind to network switch



Hello Pramod, 

I think that problem is in your certificate settings.
You have:
                SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt 
                SSLCAClientKey C:/Radiator/ldapcertificates/admin.key 
So you seems to have your own host certificates for your radius server.

But then you have this:
                SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem 
Which seems to me that you are using ca-file that comes with radiator.

You have to use CA-file from your certificate hierarchy.

Thanks, 
 Sami

30.04.2013 09:38, Pramod Kulkarni kirjoitti:
Hello, 
I wanted to know how do u do SASL EXTERNAL binding for LDAP server through 
radiator for a network switch 
I have added the SSLclient ceritificate and SSLCA certificate in radiator 
path. 



Below are the further details of the radiator configurations 

radius.cfg 
<Client DEFAULT> 
        Secret        mysecret 
        DupInterval 0 
</Client> 

# Authenticate all realms with this 
# Authenticate all realms with this 
<Realm DEFAULT> 
        <AuthBy LDAP2> 
                # Tell Radiator how to talk to the LDAP server 
                Host                localhost 

                # Tell the LDAP server to authenticate the LDAP bind 
                # with SASL: 
                UseSASL 

                # When you are using SASL authentication to connect to 
                # the LDAP server, Radiator will 
                # use AuthDN and AuthPassword to authenticate using 
                # SASL instead of the default simple authentication. 
                # In this example, we have 
                # configured a SASL user called mikem into the SASL 
                # user database using saslpasswd2. In order for 
                # openldap to map the SASL user 'mikem' to the same 
                # priveleges as the LDAP manager (and hence have 
                # access to protected password fields etc), you would need 

                # something like this in your OpenLDAP configuration 
                # (typically /etc/openldap/slapd.conf): 
                #AuthDN uid=admin,ou=Users,dc=vmbox,dc=int 
                #AuthPassword admin 

                # You can also control which SASL mechanisms are 
                # acceptable for SASL authentication. SASLMechanism is 
                # a space separated list of mechanism names supported 
                # by Authen::SASL, such as ANONYMOUS CRAM-MD5 
                # DIGEST-MD5 EXTERNAL LOGIN PLAIN. 
                # Defaults to DIGEST-MD5. If you change this you may 
                # need to change your SASL->LDAP user mapping 
                SASLMechanism EXTERNAL 

                # This the top of the search tree where users 
                # will be found. It should match the configuration 
                # of your server, see /etc/openldap/slapd.conf 
                BaseDN                dc=vmbox, dc=int 

                # This is the LDAP attribute to match the radius user name 

                UsernameAttr        cn 

                # If you dont specify ServerChecksPassword, you 
                # need to tell Radiator which attribute in the LDAP 
                # database contains 
                # the users correct password. It can be plaintext or 
encrypted 
                PasswordAttr    userPassword 
 
                # This tells AuthBy LDAP2 not to check the users password, 

                # ie that LDAP is just used to store check or reply items 
                # and the authentication happens elsewhere 
                # Requires latest patches to Radiator 3.11 
                #NoCheckPassword 

                # On some (most?) LDAP servers, you can tell AuthBy 
                # LDAP to keep the connection to the server up for as 
                # long as possible, and not close it after each 
                # authentication. This can improve performance, 
                # especially where UseTLS or USeSSL are in 
                # operation. Not all server can support this, so if you 
                # enable it and things dont work right: disable it 
                # again. 
                HoldServerConnection 
 
                # You can use CheckAttr, ReplyAttr and AuthAttrDef 
                # to specify check and reply attributes in the LDAP 
                # database. See the reference manual for more 
                # information 
                #AuthAttrDef ipaddress,Framed-IP-Address,reply 

                # These are the classic things to add to each users 
                # reply to allow a PPP dialup session. It may be 
                # different for your NAS. This will add some 
                # reply items to everyone's reply 
                AddToReply Framed-Protocol = PPP,\ 
                        Framed-IP-Netmask = 255.255.255.255,\ 
                        Framed-Routing = None,\ 
                        Framed-MTU = 1500,\ 
                        Framed-Compression = Van-Jacobson-TCP-IP 

                # You can enable debugging of the Net::LDAP 
                # module with this, which will dump LDAP requests 
                # sent  to and from the LDAP server 
                Debug 255 

                # With LDAP2 and perl-ldap 0.22 and better on Unix/Linux, 
You can enable SSL or TLS. 
                # See 
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html 
                # for assistance on how to generate certificates and 
                # configure openldap for SSL and/or TLS 
                # To use SSL, set these 
                #UseSSL 
                #SSLCAClientCert C:/Program 
Files/Radiator/ldapcertificates/admin.pem 
                #SSLCAClientKey C:/Program 
Files/Radiator/ldapcertificates/admin.pem 
                # and one of 
                #SSLCAFile C:/Program 
Files/Radiator/ldapcertificates/demoCA/cacert.pem 
                # SSLCAPath /path/to/file/containing/certificate/of/CA 
                #  (certificates must be in PEM format) 
 
                # To use TLS, set these 
                UseTLS 
                SSLVerify optional 
                SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt 
                SSLCAClientKey C:/Radiator/ldapcertificates/admin.key 
                # and one of 
                SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem 
                #SSLCAPath C:/Program Files/Radiator/ldapcertificates/ 
                #  (certificates must be in PEM format) 
                # These set the corresponding parameters in the 
                # LDAPS connection (see perl-ldap docs) 
                # Requires IO::Socket::SSL, Net::SSLeay and openssl 

                # You can control the timout for connection failure, 
                # plus the backoff time after failure. Timout defaults 
                # to 10 secs and FailureBackoffTime to 10 mins 
                #Timeout 2 
                # FailureBackoffTime 10 

                # With PostSearchHook you can do your own processing 
                # of the LDAP data. 
                # Arg 0 is the AuthBy LDAP object 
                # Arg 1 is the user name being authenticated 
                # Arg 2 is the received request packet 
                # Arg 3 is the user object holding check and reply 
                #  items for this user 
                # Arg 4 is the search results handle, whose type 
                #   depends on whether its LDAP, LDAP2, or LDAPSDK 
                #PostSearchHook sub {print "PostSearchHook @_\n";\ 
                #        my $attr = $_[4]->get('someldapattr');\ 
                #        print "get attribute $attr\n";} 

                # You can control the LDAP protocol version to be used 
                # to talk to the LDAP server. OpenLDAP 2 requires 
                # Version 3 unless you have 'allow bind_v2' in your 
                # slapd.conf. Defaults to version 2  
                Version 3 

                # You can specify the maximum number of LDAP records 
                # that match the search that will be used for 
                # check and reply items. Only the first will be 
                # used for ServerChecksPasssword. Defaults to 1 
                #MaxRecords 2 
        </AuthBy> 
</Realm> 

I used radpwtst for authenticating a user tina of LDAP server . 
C:\Perl\bin>perl radpwtst -user tina -password turner -framed_ip_address 
127.0.0 
.1 -nas_identifier 127.0.0.1 -nas_ip_address 127.0.0.1 

I would like to check a user in LDAP server using SASL bind with admin 
certificate basically a external bind mechanism. 

My log file is throwing error 

Tue Apr 30 11:48:15 2013: DEBUG: Handling request with Handler 
'Realm=DEFAULT', Identifier '' 
Tue Apr 30 11:48:15 2013: DEBUG:  Deleting session for tina, 127.0.0.1, 
1234 
Tue Apr 30 11:48:15 2013: DEBUG: Handling with Radius::AuthLDAP2: 
Tue Apr 30 11:48:15 2013: INFO: Connecting to localhost:389 
Tue Apr 30 11:48:15 2013: DEBUG: Starting TLS 
Tue Apr 30 11:48:16 2013: ERR: StartTLS failed: SSL connect attempt failed 
with unknown errorerror:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
Tue Apr 30 11:48:16 2013: ERR: Could not open LDAP connection to 
localhost:389. Backing off for 600 seconds. 
Tue Apr 30 11:48:16 2013: DEBUG: AuthBy LDAP2 result: IGNORE, User 
database access error 
Tue Apr 30 11:48:20 2013: DEBUG: Packet dump: 
*** Received from 127.0.0.1 port 50487 .... 
Code:       Accounting-Request 
Identifier: 91 
Authentic:  <238><255><164>.<208><21>G<212>dhd<215><225>c<165><7>
Attributes: 
        User-Name = "tina" 
        Service-Type = Framed-User 
        NAS-IP-Address = 127.0.0.1 
        NAS-Identifier = "127.0.0.1" 
        NAS-Port = 1234 
        NAS-Port-Type = Async 
        Acct-Session-Id = "00001234" 
        Acct-Status-Type = Start 
        Called-Station-Id = "123456789" 
        Calling-Station-Id = "987654321" 
        Framed-IP-Address = 127.0.0.1 
        Acct-Delay-Time = 0 

Tue Apr 30 11:48:20 2013: DEBUG: Handling request with Handler 
'Realm=DEFAULT', Identifier '' 
Tue Apr 30 11:48:20 2013: DEBUG:  Adding session for tina, 127.0.0.1, 1234 

Tue Apr 30 11:48:20 2013: DEBUG: Handling with Radius::AuthLDAP2: 
Tue Apr 30 11:48:20 2013: DEBUG: AuthBy LDAP2 result: ACCEPT, 
Tue Apr 30 11:48:20 2013: DEBUG: Accounting accepted 
Tue Apr 30 11:48:20 2013: DEBUG: Packet dump: 
*** Sending to 127.0.0.1 port 50487 .... 

if I disable the TLS,then restart radiator throws SASL mechanism not 
supported error (-4) 

Let me know if I can configure the switch as mentioned above through 
Radiator if possible provide a specific example . 

waiting for your inputs.

Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road Block 1
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulkarni at in.abb.com



_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 486 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0003.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 486 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 486 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0005.gif 


More information about the radiator mailing list