Hello Chris -
I am not quite sure I understand your configuration file.
You say below that you are using EAPTTLS, however your configuration file shows this:
<Handler TunneledByPEAP=1>
.....
</Handler>You also still have the <AuthBy ADSI> clause in your default Handler, which is what is giving the error messages.
Your configuration file should look more like this:
<Handler TunnelledByTTLS=1>
....
# this will deal with the inner authentication
<AuthBy LSA>
....
</AuthBy>
.....
</Handler><Handler ....>
.....
<AuthBy FILE>
.....
# this will only check for "anonymous"
.....
# must include EAP configuration details
.....
</AuthBy>
.....
</Handler>regards
Hugh
On Wednesday, Sep 3, 2003, at 05:13 Australia/Melbourne, Christian Fredrickson wrote:
OK, I configured the server to run a LSA handler and my normal handler. I
have the server up and running the LSA module, but I cannot get a user
authenticated. I still do not see the password coming through the request.
My configuration and error will be in the body of the message below. You can
see the password still does not show up. I am not certain what the
configuration settings should be for the AuthBy sections. We are using
EAPTTLS with PAP for authentication.
Thank you,
Chris
Config
*********************************************************************** *****
********
# radius.cfg - Chemical and Fuels
# Last updated 08-25-2003
# ---------------------------------------- # General Server Options # ---------------------------------------- #Foreground BindAddress 155.99.173.37 AuthPort 1812 AcctPort 1813
IgnoreAcctSignature
Foreground LogStdout LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator
PidFile %D/radiusd.pid DictionaryFile %D/dictionary
# ---------------------------------------- # Logging # ---------------------------------------- #LogStdout Trace 4 LogFile %L/radiator.log
# ---------------------------------------- # NAS Devices # ----------------------------------------
<Client 155.98.0.3> NoIgnoreDuplicates Access-Request NoIgnoreDuplicates Access-Challenge Secret DupInterval 0 </Client>
<Client 155.98.0.4> NoIgnoreDuplicates Access-Request NoIgnoreDuplicates Access-Challenge Secret DupInterval 0 </Client>
<Client 155.99.173.37> NoIgnoreDuplicates Access-Request NoIgnoreDuplicates Access-Challenge Secret </Client>
<Handler TunnelledByPEAP=1> # Authenticate with Windows LSA <AuthBy LSA> Domain CHE EAPType TTLS </AuthBy> </Handler>
<Handler Realm=che.utah.edu> RejectHasReason AcctLogFileName %L/che.utah.edu_accounting.log AcctLogFileFormat %l, %{User-Name}, %{Acct-Session-Id}, %{Acct-Authentic}, %{Acct-Status-Type}, \ %{NAS-Identifier}, %{NAS-IP-Address}, %{NAS-Port}, %{NAS-Port-Type}, %{Timestamp} #PasswordLogFileName %L/che.utah.edu_login.log
<Log FILE> Trace 5 Filename %L/che.utah.edu_radiator.log </Log>
<AuthLog FILE> Filename %L/che.utah.edu_auth.log LogSuccess 1 LogFailure 1 SuccessFormat %l,%U,%N,%h,OK FailureFormat %l,%U,%N,%h,FAIL </AuthLog>
<StatsLog FILE> Interval 604800 Filename %L/che.utah.edu_stats.log #Format </StatsLog>
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ <AuthBy ADSI> #Identifier ADSI SearchAttribute SAMAccountName AuthUser %0 AuthFlags 1 BindString LDAP://che-2551-37/dc=che,dc=utah,dc=edu SSLeayTrace 4 EAPType TTLS EAPTLS_MaxFragmentSize 1024 EAPTLS_SessionResumption 0 EAPTLS_CertificateType PEM EAPTLS_CAFile %D/cert/root.pem EAPTLS_CertificateType PEM EAPTLS_CertificateFile %D/cert/server-cert.pem EAPTLS_PrivateKeyFile %D/cert/server-cert.pem.txt EAPTLS_PrivateKeyPassword cheradiuscert #EAPTLS_RandomFile %D/cert/random AutoMPPEKeys </AuthBy>
</Handler>
*********************************************************************** *****
********
End Config
Error
*********************************************************************** *****
********
Tue Sep 2 13:09:31 2003: DEBUG: User found at LDAP://CN=Chris
Fredrickson,OU=CH
E Admins,DC=che,DC=utah,DC=edu
Tue Sep 2 13:09:31 2003: DEBUG: Connecting to namespace: LDAP:
Tue Sep 2 13:09:31 2003: DEBUG: Running OpenDSObject on LDAP://CN=Chris
Fredric
kson,OU=CHE Admins,DC=che,DC=utah,DC=edu
Tue Sep 2 13:09:31 2003: DEBUG: BindString: LDAP://CN=Chris
Fredrickson,OU=CHE
Admins,DC=che,DC=utah,DC=edu authUser: 00303341 password: authFlags: 1
Win32::OLE(0.1403) error 0x8002000f: "Parameter not optional"
in METHOD/PROPERTYGET "OpenDSObject" at
c:/Perl/site/lib/Radius/AuthADSI.pm
line 134
Tue Sep 2 13:09:31 2003: DEBUG: Could not get user object:
Win32::OLE(0.1403) e
rror 0x8002000f: "Parameter not optional"
in METHOD/PROPERTYGET "OpenDSObject"
Tue Sep 2 13:09:31 2003: INFO: Access rejected for 00303341: Could not find
use
r
Tue Sep 2 13:09:31 2003: DEBUG: Packet dump:
*** Sending to 155.98.0.3 port 1814 ....
Code: Access-Reject
Identifier: 70
Authentic: <152><10><0><0><243><11><0><0><134><13><0><0><10>I<0><0>
Attributes:
Reply-Message = "Could not find user"
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike McCauley Sent: Friday, August 29, 2003 6:46 PM To: Christian Fredrickson; Radiator Subject: Re: (RADIATOR) ADSI and EAP
Hello Christian,
On Sat, 30 Aug 2003 09:33 am, Christian Fredrickson wrote:When I use EAP authentication using AuthBy ADSI, the password fails. Is
there any way to get this working?
AuthBy ADSI only works with authentication methods that send a plaintext
password, such as PAP.
If you wish to support PAP, CHAP, MSCHAP, MSCHAPV2, EAP-PEAP-MSCHAPV2 etc,
you
should look at the new AuthBy LSA module. See the Radiator 3.6 patches area
for more information.
Cheers.
Chris
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
-- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
