(RADIATOR) Radiator and LDAP2 - multiple realm

Steve Caporossi Tue, 14 Oct 2003 15:10:59 -0700

I am running radiator 3.7.1 on RH7.3. We are, and have been using AuthBy UNIX and the Odyssey Client for months to authenticate our wireless users. Now, I would like to authenticate users based on whether or not they are trying to login to the domain or not. When a user logs in with domain\username, I have been unable to get the request to be handled by the proper handler. I have placed the rewrite username in multiple locations but, never see the handler being used, only the tunnelled by TTLS is ever invoked. I have read the manual but obviously missed something...Can someone point me in the right direction?

As a workaround, I tried using ContinueUntilAccept in the tunnelled by TTLS handler and then I fail with the info below. I verified the username and password are correct so, is there another module required?

See below.... Mon Oct 13 16:03:59 2003: DEBUG: Handling with Radius::AuthLDAP2: Mon Oct 13 16:03:59 2003: INFO: Connecting to <servername>, port 389 Mon Oct 13 16:03:59 2003: INFO: Attempting to bind to LDAP server <servername>:389) Mon Oct 13 16:03:59 2003: ERR: Could not bind connection with CN=Radtest,OU=admin,DC=testrealm,DC=local, <password>, error: LDAP_INVALID_CREDENTIALS (server <servername>:389). Mon Oct 13 16:03:59 2003: ERR: Backing off from <servername>:389 for 600 seconds

Thanks,
--
Steve

<Client DEFAULT>
        Identifier wlan
        Secret mysecret
        DupInterval 2
        IgnoreAcctSignature
</Client>



 <Handler TunnelledByTTLS=1,Realm=testrealm>
        AuthByPolicy ContinueUntilAccept

        # Strip realm if in MSN format
        RewriteUsername s/(.*)\\(.*)/$2/

        # strips the realm from a User-Name before authenticating it
        RewriteUsername s/^([EMAIL PROTECTED]).*/$1/

        <AuthBy LDAP2>
                Host    dc1.labnet.local
                AuthDN CN=Radtest,OU=admin,DC=testrealm,DC=local
                AuthPassword    <password>
                AuthPassword    <password>
                BaseDN          OU=AD Users,DC=testrealm,DC=local
                ServerChecksPassword
                UsernameAttr samaccountname
        </AuthBy>

 </Handler>

 <Handler TunnelledByTTLS=1>
        AuthByPolicy ContinueUntilAccept

        # Strip realm if in MSN format
        RewriteUsername s/(.*)\\(.*)/$2/

        # strips the realm from a User-Name before authenticating it
        RewriteUsername s/^([EMAIL PROTECTED]).*/$1/

        <AuthBy UNIX>
                # anonymous-PEAP must be in here:
                Filename /etc/wlanpeople
        </AuthBy>
 </Handler>

<Handler Client-Identifier=wlan>

        AuthByPolicy ContinueAlways
        #AuthByPolicy ContinueWhileIgnore      # Default

        # Strip realm if in MSN format
        # RewriteUsername s/(.*)\\(.*)/$2/

        # Convert a MSN realm\user into [EMAIL PROTECTED]
        # RewriteUsername        s/^(.*)\\(.*)/[EMAIL PROTECTED]/

        # strips the realm from a User-Name before authenticating it
        # RewriteUsername s/^([EMAIL PROTECTED]).*/$1/


        <AuthBy SQL>
                DBSource        dbi:mysql:radius
                DBSource        dbi:mysql:database=radius;host=radserver.musc.edu
                DBUsername      radtest
                DBAuth          radpwd

                AuthSelect

                # Only insert Start and Stop requests, ack everything else
                HandleAcctStatusTypes Start,Stop

                AccountingTable ACCOUNTING

                AcctColumnDef   USERNAME,User-Name
                AcctColumnDef   CONNTYPE,%{Client:Identifier},formatted
                AcctColumnDef   TIME_STAMP,Timestamp,integer
                AcctColumnDef   TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d 
%H:%M:%S
                AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
                AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
                AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
                AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
                AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
                AcctColumnDef   NASIDENTIFIER,NAS-Identifier
                AcctColumnDef   NASIPADDRESS,NAS-IP-Address
                AcctColumnDef   NASPORT,NAS-Port,integer
                AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
                AcctColumnDef   ACCTAUTHENTIC,Acct-Authentic

                AcctFailedLogFileName 
%L/%{Client:Identifier}/%m%d%y.missedaccounting.log
        </AuthBy>


        <AuthBy FILE>

        # Strip realm if in MSN format
        # RewriteUsername s/(.*)\\(.*)/$2/

        # Convert a MSN realm\user into [EMAIL PROTECTED]
        RewriteUsername        s/^(.*)\\(.*)/[EMAIL PROTECTED]/

        # strips the realm from a User-Name before authenticating it
        # RewriteUsername s/^([EMAIL PROTECTED]).*/$1/

                Filename /etc/radiator/users

                EAPType TTLS

                EAPTLS_CAFile /usr/local/certs/radtest.pem

                EAPTLS_CertificateFile /usr/local/certs/radtest.pem
                EAPTLS_CertificateType PEM

                EAPTLS_PrivateKeyFile /usr/local/certs/radtest.pem
                EAPTLS_PrivateKeyPassword <keypasswd>

                EAPTLS_MaxFragmentSize 1024

                AutoMPPEKeys

                SSLeayTrace 4

                # EAPAnonymous anonymous

                # Default is enabled
                #EAPTLS_SessionResumption 0

                #EAPTLS_SessionResumptionLimit 10

        </AuthBy>

       PreProcessingHook file:"/etc/radiator/eap_anon_hook.pl"
       PostAuthHook file:"/etc/radiator/eap_anon_hook.pl"

        # Log accounting to a detail file
       AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log

</Handler>

(RADIATOR) Radiator and LDAP2 - multiple realm

Reply via email to