[RADIATOR] Auth by LDAP Ubuntu 12.04 & Radiator 4.10

John Goubeaux goubeaux at education.ucsb.edu
Wed Jul 3 15:42:15 CDT 2013


Hello Folks,

RE: Auth by LDAP issues w/ Ubuntu 12.04  & Radiator 4.10

I am currently running an instance of Radiator 4.4 on Solaris 10x86. 
This box is also running our current Sun Java Directory Server ( 
OSDEE 7 ). This instance of Radiator is actively using Auth by LDAP 
successfully with TTLS and PAP.

We are wanting to add MSCHAP V2 auth into our infrastructure to AUTH 
against an AD repository of users and for the time being will be 
hosting a separate Radiator instance on Ubuntu 12.04 that has 
Radiator 4.10 running to achieve this. We will use Auth by Radius to 
proxy MSCHAP V2 requests to the new box from the Radiator 4.4 box. To 
completely test this environment we need to spin up an instance of 
the Auth by LDAP.

I started with the config from the Radiator 4.4 instance on the 
Solaris box  and dropped it into place with the Radiator 4.4 on 
Ubuntu 12.04. After many hours of frustration and many errors 
including build errors with Radiator itself  I decided to try running 
the same config on Radiator 4.10. According to Radiator docs the 
config is compatible with Radiator 4.10. However Radiator 4.10 on 
Ubuntu with the config from the Solaris box fails to be able to Auth 
by LDAP  and reports "user Not found in LDAP"

I have however been able to bind to LDAP from the Ubuntu box using 
ldapsearch so I am lead to believe it is not a networking issue. I 
believe the issue lies in the different libraries and default configs 
of the LDAP client between Solaris and Ubuntu.


So the Questions are:

Are there specific libraries ( other than those specified in the 
Radiator 4.10 docs ) that I need in order  to support LDAP binds to 
the Sun Directory from Ubuntu ? I have included the config that I am 
speaking about below.

OR another way of asking the question :  Is anyone successfully 
running Radiator 4.10 on Ubuntu 12.04  AND authing against an Oracle 
DS and IF so were there any caveats to the build  ?


-john



##########                      ##########
#####   Radiator Configuration       #####
#########                       ##########

##      Updated 7/2/13 ms
##      Note this file is derived from pre-testing version provided 
by mrodrigues


Foreground
LogStdout
LogDir          ./radlogs
DbDir           .
# User a lower trace level in production systems:
Trace           5


#Bind Address
BindAddress 10.99.1.252

# Port Config
AuthPort 1812
AcctPort 1813


#below was added on 2/4/13 to catch ALL iterations of logins that are 
BlackListed.
RewriteUsername         tr/A-Z/a-z/

#These are the subnets from which calls to the RADIUS server are allowed.

<Client localhost>
         Secret testing123
         DupInterval 0
</Client>

<Client <http://10.99.1.0/24>10.99.1.0/24>
	Secret testing123
	DupInterval 0
</Client>


<Handler>
PostProcessingHook file:"%D/<http://eap_acct_username.pl>eap_acct_username.pl"

<AuthBy LDAP2>
                 #Directory server info
                 Host 
 <http://directory.foobar.com>directory.foobar.com
                 Port            389
                 BaseDN          ou=People,o=<http://foobar.com>foobar.com

                 #This specifies the attribute that must be present
                 #to allow authentication. Everyone has a uid....
                 UsernameAttr    uid
                 ServerChecksPassword

                 #Allowed EAP Types

                 EAPType         TTLS

                 #Certificate stuff

                 EAPTLS_MaxFragmentSize 1000
                 EAPTLS_CAFile %D/certificates/ca.pem
                 EAPTLS_CertificateType PEM
                 EAPTLS_CertificateFile %D/certificates/ia.pem
                 EAPTLS_PrivateKeyFile %D/certificates/ia.key
                 EAPTLS_MaxFragmentSize 2048

		#This handles auto-negotiation of the WPA keys.
                 AutoMPPEKeys
                 #       EAPTLS_PEAPBrokenV1Label
                 #       EAPTLS_PEAPVersion 0\

                 #This outputs debug info for tracing the TLS 
handshake, I THINK!
                 SSLeayTrace 4


                 HoldServerConnection
                 Timeout                 2
                 FailureBackoffTime      30
                 Version 3
</AuthBy>

PostProcessingHook file:"%D/<http://eap_acct_username.pl>eap_acct_username.pl"



-- 
John Goubeaux
Systems Administrator
Gevirtz Graduate School of Education
UC Santa Barbara
Education 4203C
805 893-8190
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130703/2e194140/attachment.html 


More information about the radiator mailing list