[RADIATOR] Radiator evaluation-Authenticate and Authorize LDAP users using SASL EXTERNAL bind to network switch
Pramod Kulkarni
pramod.kulkarni at in.abb.com
Tue Apr 30 02:40:56 CDT 2013
Thanks for the reply,
I have used CA-file from the certificate hierarchy,
I have my own cacert.pem I have not used the radiator cacert.pem through
this cacert.pem I generated the admin.crt and admin.key file.
This cacert.pem is used to start LDAP server and also radius server to
authenticate the LDAP users.
waiting for your inputs.
Regards
Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road Block 1
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulkarni at in.abb.com
From: Pramod Kulkarni/INCRC/ABB
To: Sami Keski-Kasari <samikk at open.com.au>
Date: 04/30/2013 01:03 PM
Subject: Re: [RADIATOR] Radiator evaluation-Authenticate and
Authorize LDAP users using SASL EXTERNAL bind to network switch
Thanks for the reply,
I have used CA-file from the certificate hierarchy,
I have my own cacert.pem I have not used the radiator cacert.pem through
this cacert.pem I generated the admin.crt and admin.key file.
This cacert.pem is used to start LDAP server and also radius server to
authenticate the LDAP users.
waiting for your inputs.
Regards
Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road Block 1
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulkarni at in.abb.com
From: Sami Keski-Kasari <samikk at open.com.au>
To: Pramod Kulkarni/INCRC/ABB at ABB
Cc: radiator at open.com.au
Date: 04/30/2013 12:46 PM
Subject: Re: [RADIATOR] Radiator evaluation-Authenticate and
Authorize LDAP users using SASL EXTERNAL bind to network switch
Hello Pramod,
I think that problem is in your certificate settings.
You have:
SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt
SSLCAClientKey C:/Radiator/ldapcertificates/admin.key
So you seems to have your own host certificates for your radius server.
But then you have this:
SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem
Which seems to me that you are using ca-file that comes with radiator.
You have to use CA-file from your certificate hierarchy.
Thanks,
Sami
30.04.2013 09:38, Pramod Kulkarni kirjoitti:
Hello,
I wanted to know how do u do SASL EXTERNAL binding for LDAP server through
radiator for a network switch
I have added the SSLclient ceritificate and SSLCA certificate in radiator
path.
Below are the further details of the radiator configurations
radius.cfg
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
# Authenticate all realms with this
# Authenticate all realms with this
<Realm DEFAULT>
<AuthBy LDAP2>
# Tell Radiator how to talk to the LDAP server
Host localhost
# Tell the LDAP server to authenticate the LDAP bind
# with SASL:
UseSASL
# When you are using SASL authentication to connect to
# the LDAP server, Radiator will
# use AuthDN and AuthPassword to authenticate using
# SASL instead of the default simple authentication.
# In this example, we have
# configured a SASL user called mikem into the SASL
# user database using saslpasswd2. In order for
# openldap to map the SASL user 'mikem' to the same
# priveleges as the LDAP manager (and hence have
# access to protected password fields etc), you would need
# something like this in your OpenLDAP configuration
# (typically /etc/openldap/slapd.conf):
#AuthDN uid=admin,ou=Users,dc=vmbox,dc=int
#AuthPassword admin
# You can also control which SASL mechanisms are
# acceptable for SASL authentication. SASLMechanism is
# a space separated list of mechanism names supported
# by Authen::SASL, such as ANONYMOUS CRAM-MD5
# DIGEST-MD5 EXTERNAL LOGIN PLAIN.
# Defaults to DIGEST-MD5. If you change this you may
# need to change your SASL->LDAP user mapping
SASLMechanism EXTERNAL
# This the top of the search tree where users
# will be found. It should match the configuration
# of your server, see /etc/openldap/slapd.conf
BaseDN dc=vmbox, dc=int
# This is the LDAP attribute to match the radius user name
UsernameAttr cn
# If you dont specify ServerChecksPassword, you
# need to tell Radiator which attribute in the LDAP
# database contains
# the users correct password. It can be plaintext or
encrypted
PasswordAttr userPassword
# This tells AuthBy LDAP2 not to check the users password,
# ie that LDAP is just used to store check or reply items
# and the authentication happens elsewhere
# Requires latest patches to Radiator 3.11
#NoCheckPassword
# On some (most?) LDAP servers, you can tell AuthBy
# LDAP to keep the connection to the server up for as
# long as possible, and not close it after each
# authentication. This can improve performance,
# especially where UseTLS or USeSSL are in
# operation. Not all server can support this, so if you
# enable it and things dont work right: disable it
# again.
HoldServerConnection
# You can use CheckAttr, ReplyAttr and AuthAttrDef
# to specify check and reply attributes in the LDAP
# database. See the reference manual for more
# information
#AuthAttrDef ipaddress,Framed-IP-Address,reply
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
# You can enable debugging of the Net::LDAP
# module with this, which will dump LDAP requests
# sent to and from the LDAP server
Debug 255
# With LDAP2 and perl-ldap 0.22 and better on Unix/Linux,
You can enable SSL or TLS.
# See
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
# for assistance on how to generate certificates and
# configure openldap for SSL and/or TLS
# To use SSL, set these
#UseSSL
#SSLCAClientCert C:/Program
Files/Radiator/ldapcertificates/admin.pem
#SSLCAClientKey C:/Program
Files/Radiator/ldapcertificates/admin.pem
# and one of
#SSLCAFile C:/Program
Files/Radiator/ldapcertificates/demoCA/cacert.pem
# SSLCAPath /path/to/file/containing/certificate/of/CA
# (certificates must be in PEM format)
# To use TLS, set these
UseTLS
SSLVerify optional
SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt
SSLCAClientKey C:/Radiator/ldapcertificates/admin.key
# and one of
SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem
#SSLCAPath C:/Program Files/Radiator/ldapcertificates/
# (certificates must be in PEM format)
# These set the corresponding parameters in the
# LDAPS connection (see perl-ldap docs)
# Requires IO::Socket::SSL, Net::SSLeay and openssl
# You can control the timout for connection failure,
# plus the backoff time after failure. Timout defaults
# to 10 secs and FailureBackoffTime to 10 mins
#Timeout 2
# FailureBackoffTime 10
# With PostSearchHook you can do your own processing
# of the LDAP data.
# Arg 0 is the AuthBy LDAP object
# Arg 1 is the user name being authenticated
# Arg 2 is the received request packet
# Arg 3 is the user object holding check and reply
# items for this user
# Arg 4 is the search results handle, whose type
# depends on whether its LDAP, LDAP2, or LDAPSDK
#PostSearchHook sub {print "PostSearchHook @_\n";\
# my $attr = $_[4]->get('someldapattr');\
# print "get attribute $attr\n";}
# You can control the LDAP protocol version to be used
# to talk to the LDAP server. OpenLDAP 2 requires
# Version 3 unless you have 'allow bind_v2' in your
# slapd.conf. Defaults to version 2
Version 3
# You can specify the maximum number of LDAP records
# that match the search that will be used for
# check and reply items. Only the first will be
# used for ServerChecksPasssword. Defaults to 1
#MaxRecords 2
</AuthBy>
</Realm>
I used radpwtst for authenticating a user tina of LDAP server .
C:\Perl\bin>perl radpwtst -user tina -password turner -framed_ip_address
127.0.0
.1 -nas_identifier 127.0.0.1 -nas_ip_address 127.0.0.1
I would like to check a user in LDAP server using SASL bind with admin
certificate basically a external bind mechanism.
My log file is throwing error
Tue Apr 30 11:48:15 2013: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Tue Apr 30 11:48:15 2013: DEBUG: Deleting session for tina, 127.0.0.1,
1234
Tue Apr 30 11:48:15 2013: DEBUG: Handling with Radius::AuthLDAP2:
Tue Apr 30 11:48:15 2013: INFO: Connecting to localhost:389
Tue Apr 30 11:48:15 2013: DEBUG: Starting TLS
Tue Apr 30 11:48:16 2013: ERR: StartTLS failed: SSL connect attempt failed
with unknown errorerror:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 30 11:48:16 2013: ERR: Could not open LDAP connection to
localhost:389. Backing off for 600 seconds.
Tue Apr 30 11:48:16 2013: DEBUG: AuthBy LDAP2 result: IGNORE, User
database access error
Tue Apr 30 11:48:20 2013: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 50487 ....
Code: Accounting-Request
Identifier: 91
Authentic: <238><255><164>.<208><21>G<212>dhd<215><225>c<165><7>
Attributes:
User-Name = "tina"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "127.0.0.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Framed-IP-Address = 127.0.0.1
Acct-Delay-Time = 0
Tue Apr 30 11:48:20 2013: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Tue Apr 30 11:48:20 2013: DEBUG: Adding session for tina, 127.0.0.1, 1234
Tue Apr 30 11:48:20 2013: DEBUG: Handling with Radius::AuthLDAP2:
Tue Apr 30 11:48:20 2013: DEBUG: AuthBy LDAP2 result: ACCEPT,
Tue Apr 30 11:48:20 2013: DEBUG: Accounting accepted
Tue Apr 30 11:48:20 2013: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 50487 ....
if I disable the TLS,then restart radiator throws SASL mechanism not
supported error (-4)
Let me know if I can configure the switch as mentioned above through
Radiator if possible provide a specific example .
waiting for your inputs.
Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road Block 1
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulkarni at in.abb.com
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 486 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0003.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 486 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0004.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 486 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130430/d8ad33d2/attachment-0005.gif
More information about the radiator
mailing list