Mark, Thanks for the tip, I can get AuthbyLSA to work for me unless I try to test for Group Membership which I need to do in order to assign users to a specific VLAN.
-Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: [email protected] > -----Original Message----- > From: Pearson, Mark [mailto:[email protected]] > Sent: Friday, October 01, 2010 4:13 AM > To: Mike McCauley; Johnson, Neil M > Cc: [email protected] > Subject: RE: [RADIATOR] Authby LSA and groups not working (redux) > > Hi, I have it working by running Radiator on a server in the domain. > Note that you need 4.7 to use the magic bit > UsernameMatchesWithoutRealm. > Nothing is needed on the actual DCs regarding Radiator in our case. > > <Handler TunnelledByPEAP=1> > <AuthBy LSA> > ### The next line strips the @realm portion to allow AD to authenticate > against it > UsernameMatchesWithoutRealm > EAPType MSCHAP-V2 > </AuthBy> > </Handler> > > ### This is the outer request where [email protected] are captured > > <Handler Realm=somewhere.ac.uk> > <AuthBy FILE> > Filename %D/users > > ### This tells the PEAP client what types of inner EAP requests we will > honour > EAPType PEAP, TTLS > EAPTLS_CAFile %D/certificates/terenasslca.pem > EAPTLS_CertificateFile %D/certificates/final-cert.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/mykey.pem > EAPTLS_PrivateKeyPassword > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > SSLeayTrace 4 > EAPTLS_PEAPVersion 0 > > ### Added EAPAnonymous %{User-Name} to the outer AuthBy > ### This will send the outer username as the inner username > ### (instead of "anonymous") > > EAPAnonymous %{User-Name} > > </AuthBy> > </Handler> > > > regards > Mark Pearson > Senior Technical Support Analyst > Information Systems > Nottingham Trent University > > tel: 0115 8488287 > > -----Original Message----- > From: [email protected] [mailto:radiator- > [email protected]] > On Behalf Of Mike McCauley > Sent: 01 October 2010 01:03 > To: Johnson, Neil M > Cc: [email protected] > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > Hello Neil, > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > > No, I'm running it on a member server. > > > > Our AD administrators are very reluctant to run applications on PDC's > > and BDC's. I can ask but I don't think I will get permission. > > > > Will it work on a BDC ? > > > > If not, do I have any other options ? Currently I'm using Radiator to > > proxy 802.1X requests to Juniper Steel-Belted Radius in order to > > re-write VLAN attributes. I was kind of hoping to eliminate SBR in > > part to simplify support for Eduroam. > > Tests here show that it works OK on any domain member provided that the > user who is running the script is logged in to the domain. > > Cheers. > > > > > Thanks. > > > > -Neil > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] > > > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Mike McCauley > Sent: > > > Wednesday, September 29, 2010 9:22 PM > > To: [email protected] > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > Hello Neil, > > > > tests here show that your script (suitably modified) works provided > > you run it on the PDC as the administrator. > > > > Is that how you are testing? > > > > Cheers. > > > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > > I whipped up a script based on what I could find in the source code > > > to test group membership and it doesn't seem to matter if the group > > > is local or global, it can't find it: > > > > > > #!c:\perl64\bin\perl.exe > > > > > > use strict; > > > use Win32::NetAdmin; > > > > > > my $User = "nmjoo"; > > > my $Group = "ITS-WIRELESS"; > > > my $Domain = "IOWA"; > > > my $Server = ""; > > > > > > print "Getting Domain Controller\n"; > > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print > > > "Domain Controller for Domain $Domain is $Server\n"; > > > > > > print "Checking to see if user: $User is member of Group: > $Group\n"; > > > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) > > > > > > || Win32::NetAdmin::LocalGroupIsMember($Server, > $Group, > > > || $User)) { > > > > > > print "$User is Member of group $Group"; } else { > > > print "$User is not Member of group $Group"; } > > > > > > Output: > > > > > > C:\Program Files\Radiator>test2.pl > > > Getting Domain Controller > > > Domain Controller for Domain IOWA is \\IOWADC1 > > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS > > > nmjoo is not Member of group ITS-WIRELESS > > > C:\Program Files\Radiator> > > > -- > > > Neil Johnson > > > Network Engineer > > > Information Technology Services > > > The University of Iowa > > > Work: 319 384-0938 > > > Mobile: 319 540-2081 > > > Fax: 319 355-2618 > > > E-mail: [email protected] > > > > -- > Mike McCauley [email protected] > Open System Consultants Pty. Ltd > 9 Bulbul Place Currumbin Waters QLD 4223 Australia > http://www.open.com.au > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator > > > This email is intended solely for the addressee. It may contain > private and confidential information. If you are not the intended > addressee, please take no action based on it nor show a copy to anyone. > In this case, please reply to this email to highlight the error. > Opinions and information in this email that do not relate to the > official business of Nottingham Trent University shall be understood as > neither given nor endorsed by the University. > Nottingham Trent University has taken steps to ensure that this email > and any attachments are virus-free, but we do advise that the recipient > should check that the email and its attachments are actually virus > free. This is in keeping with good computing practice. > _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
