Hi, I have it working by running Radiator on a server in the domain. Note that you need 4.7 to use the magic bit UsernameMatchesWithoutRealm. Nothing is needed on the actual DCs regarding Radiator in our case.
<Handler TunnelledByPEAP=1> <AuthBy LSA> ### The next line strips the @realm portion to allow AD to authenticate against it UsernameMatchesWithoutRealm EAPType MSCHAP-V2 </AuthBy> </Handler> ### This is the outer request where [email protected] are captured <Handler Realm=somewhere.ac.uk> <AuthBy FILE> Filename %D/users ### This tells the PEAP client what types of inner EAP requests we will honour EAPType PEAP, TTLS EAPTLS_CAFile %D/certificates/terenasslca.pem EAPTLS_CertificateFile %D/certificates/final-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/mykey.pem EAPTLS_PrivateKeyPassword EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 4 EAPTLS_PEAPVersion 0 ### Added EAPAnonymous %{User-Name} to the outer AuthBy ### This will send the outer username as the inner username ### (instead of "anonymous") EAPAnonymous %{User-Name} </AuthBy> </Handler> regards Mark Pearson Senior Technical Support Analyst Information Systems Nottingham Trent University tel: 0115 8488287 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mike McCauley Sent: 01 October 2010 01:03 To: Johnson, Neil M Cc: [email protected] Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) Hello Neil, On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > No, I'm running it on a member server. > > Our AD administrators are very reluctant to run applications on PDC's > and BDC's. I can ask but I don't think I will get permission. > > Will it work on a BDC ? > > If not, do I have any other options ? Currently I'm using Radiator to > proxy 802.1X requests to Juniper Steel-Belted Radius in order to > re-write VLAN attributes. I was kind of hoping to eliminate SBR in > part to simplify support for Eduroam. Tests here show that it works OK on any domain member provided that the user who is running the script is logged in to the domain. Cheers. > > Thanks. > > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: [email protected] > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Mike McCauley Sent: > Wednesday, September 29, 2010 9:22 PM > To: [email protected] > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > Hello Neil, > > tests here show that your script (suitably modified) works provided > you run it on the PDC as the administrator. > > Is that how you are testing? > > Cheers. > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > I whipped up a script based on what I could find in the source code > > to test group membership and it doesn't seem to matter if the group > > is local or global, it can't find it: > > > > #!c:\perl64\bin\perl.exe > > > > use strict; > > use Win32::NetAdmin; > > > > my $User = "nmjoo"; > > my $Group = "ITS-WIRELESS"; > > my $Domain = "IOWA"; > > my $Server = ""; > > > > print "Getting Domain Controller\n"; > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print > > "Domain Controller for Domain $Domain is $Server\n"; > > > > print "Checking to see if user: $User is member of Group: $Group\n"; > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) > > > > || Win32::NetAdmin::LocalGroupIsMember($Server, $Group, > > || $User)) { > > > > print "$User is Member of group $Group"; } else { > > print "$User is not Member of group $Group"; } > > > > Output: > > > > C:\Program Files\Radiator>test2.pl > > Getting Domain Controller > > Domain Controller for Domain IOWA is \\IOWADC1 > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS > > nmjoo is not Member of group ITS-WIRELESS > > C:\Program Files\Radiator> > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator This email is intended solely for the addressee. It may contain private and confidential information. If you are not the intended addressee, please take no action based on it nor show a copy to anyone. In this case, please reply to this email to highlight the error. Opinions and information in this email that do not relate to the official business of Nottingham Trent University shall be understood as neither given nor endorsed by the University. Nottingham Trent University has taken steps to ensure that this email and any attachments are virus-free, but we do advise that the recipient should check that the email and its attachments are actually virus free. This is in keeping with good computing practice. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
