Hello Steve -
I think I will need a bit more detail regarding your requirements, as I am not sure I understand.
Could you also please send me a trace 4 debug from Radiator showing what is happening.
regards
Hugh
On Wednesday, Oct 15, 2003, at 05:55 Australia/Melbourne, Steve Caporossi wrote:
I am running radiator 3.7.1 on RH7.3. We are, and have been using AuthBy UNIX and the Odyssey Client for months to authenticate our wireless users. Now, I would like to authenticate users based on whether or not they are trying to login to the domain or not. When a user logs in with domain\username, I have been unable to get the request to be handled by the proper handler. I have placed the rewrite username in multiple locations but, never see the handler being used, only the tunnelled by TTLS is ever invoked. I have read the manual but obviously missed something...Can someone point me in the right direction?
As a workaround, I tried using ContinueUntilAccept in the tunnelled by TTLS handler and then I fail with the info below. I verified the username and password are correct so, is there another module > required?
See below....
Mon Oct 13 16:03:59 2003: DEBUG: Handling with Radius::AuthLDAP2:
Mon Oct 13 16:03:59 2003: INFO: Connecting to <servername>, port 389
Mon Oct 13 16:03:59 2003: INFO: Attempting to bind to LDAP server <servername>:389)
Mon Oct 13 16:03:59 2003: ERR: Could not bind connection with CN=Radtest,OU=admin,DC=testrealm,DC=local, <password>, error: LDAP_INVALID_CREDENTIALS (server <servername>:389).
Mon Oct 13 16:03:59 2003: ERR: Backing off from <servername>:389 for 600 seconds
Thanks, -- Steve <Client DEFAULT> Identifier wlan Secret mysecret DupInterval 2 IgnoreAcctSignature </Client>
<Handler TunnelledByTTLS=1,Realm=testrealm> AuthByPolicy ContinueUntilAccept
# Strip realm if in MSN format RewriteUsername s/(.*)\\(.*)/$2/
# strips the realm from a User-Name before authenticating it RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
<AuthBy LDAP2> Host dc1.labnet.local AuthDN CN=Radtest,OU=admin,DC=testrealm,DC=local AuthPassword <password> AuthPassword <password> BaseDN OU=AD Users,DC=testrealm,DC=local ServerChecksPassword UsernameAttr samaccountname </AuthBy>
</Handler>
<Handler TunnelledByTTLS=1> AuthByPolicy ContinueUntilAccept
# Strip realm if in MSN format RewriteUsername s/(.*)\\(.*)/$2/
# strips the realm from a User-Name before authenticating it RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
<AuthBy UNIX> # anonymous-PEAP must be in here: Filename /etc/wlanpeople </AuthBy> </Handler>
<Handler Client-Identifier=wlan>
AuthByPolicy ContinueAlways #AuthByPolicy ContinueWhileIgnore # Default
# Strip realm if in MSN format # RewriteUsername s/(.*)\\(.*)/$2/
# Convert a MSN realm\user into [EMAIL PROTECTED] # RewriteUsername s/^(.*)\\(.*)/[EMAIL PROTECTED]/
# strips the realm from a User-Name before authenticating it # RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
<AuthBy SQL>
DBSource dbi:mysql:radius
DBSource dbi:mysql:database=radius;host=radserver.musc.edu
DBUsername radtest
DBAuth radpwd
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%y.missedaccounting.log
</AuthBy>
<AuthBy FILE>
# Strip realm if in MSN format # RewriteUsername s/(.*)\\(.*)/$2/
# Convert a MSN realm\user into [EMAIL PROTECTED] RewriteUsername s/^(.*)\\(.*)/[EMAIL PROTECTED]/
# strips the realm from a User-Name before authenticating it # RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
Filename /etc/radiator/users
EAPType TTLS
EAPTLS_CAFile /usr/local/certs/radtest.pem
EAPTLS_CertificateFile /usr/local/certs/radtest.pem EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /usr/local/certs/radtest.pem EAPTLS_PrivateKeyPassword <keypasswd>
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
# EAPAnonymous anonymous
# Default is enabled #EAPTLS_SessionResumption 0
#EAPTLS_SessionResumptionLimit 10
</AuthBy>
PreProcessingHook file:"/etc/radiator/eap_anon_hook.pl" PostAuthHook file:"/etc/radiator/eap_anon_hook.pl"
# Log accounting to a detail file AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
