On 05/11/2011 07:48 PM, Onno Witvliet wrote:
Hello Onno,
> I'm trying to configure Radiator to authenticate our users with PEAP /
> MSCHAPv2.
>
> We're running Radiator on Linux and we want to authenticate against MS
> Active Directory.
>
> The authentication with NTLM works fine, but we want to check if the
> user is allowed to use
> the wireless network by checking the msNPAllowDialin property in
> Active Directory.
>
> As far as I can tell, for this additional check to work, I need to
> query AD via LDAP
> for the property msNPAllowDialin and check the value of the property.
This sounds correct.
> I've tried several things, but I can't figure out how I can query the
> AD via LDAP, without Radiator
> trying to authenticate the LDAP query with MSCHAPv2 (with
> Access-Reject as a result)
Please see below for changes in your config. You are close and there are
only a couple of things that need changes.
> I'm trying to use PostSearchHook to check if msNPAllowDialin exists
> and if the value equals YES
> to return an Access-Accept, else return Access-Reject
I think the hook is not needed. Please see below for more.
> I've 3 questions:
>
> 1) Is this the right approach to solve this problem
Yes.
> 2) How can I query via LDAP without (EAP) authentication
NoEAP and NoCheckPassword. Instead a SearchFilter is defined for
checking the user exists and has the attribute correctly set.
> 3) How can I return Access-Accept / Access-Reject from the PostSearchHook
You could arrange for check items to fail, but I think hook is not
needed at all.
> Any hints would be appreciated.
Try the changes I have added below and let us know how it works. You may
want to check the reference manual for more details about the options I
added or changed.
> Onno Witvliet
> Hogeschool Inholland
> The Netherlands
>
>
> Overview config:
>
> <AuthBy FILE>
> Identifier outer-tunnel-auth
>
> Filename %D/dot1x_anon
>
> EAPType PEAP
>
> # Certificates
> EAPTLS_CAFile /etc/radiator/certificates/ca.pem
> EAPTLS_CertificateFile /etc/radiator/certificates/server.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/server.key
> EAPTLS_MaxFragmentSize 1000
>
> EAPTLS_PEAPVersion 0
>
> AutoMPPEKeys
> </AuthBy>
>
> <AuthBy NTLM>
> Identifier AuthNTLM
>
> EAPType MSCHAP-V2
> Domain DOMAIN
> NtlmAuthProg /usr/bin/ntlm_auth -s /etc/samba/our-winbindd.conf
> --helper-protocol=ntlm-server-1
> UsernameMatchesWithoutRealm
> </AuthBy>
>
> <AuthBy LDAP2>
> Identifier AuthLDAP
> Host x.x.x.x
>
> AuthDN cn=admin,dc=domain,dc=nl
> AuthPassword secret
>
> BaseDN ou=users,dc=domain,dc=nl
> UsernameAttr sAMAccountName
> PasswordAttr
Remove PasswordAttr
Add these:
NoCheckPassword
NoEAP
SearchFilter (&(%0=%x)(msNPAllowDialin=YES))
> AuthAttrDef msNPAllowDialin,GENERIC,request
You can keep this, otherwise the LDAP server will return all possible
attributes.
You can also add these for better performance:
NoDefault
NoDefaultIfFound
> # PostSearchHook sub { my $attr = $_[4]->get('msNPAllowDialin'); \
> # $_[3]->get_reply->add_attr('Dialin-Allowed', 1); }
Remove the hook or keep it commented out.
> Debug 255
> </AuthBy>
>
> <Handler User-Name=/[email protected])/>
> Identifier outer-handler
>
> AuthBy outer-tunnel-auth
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> Identifier inner-handler
>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilReject
Use a different policy:
AuthByPolicy ContinueWhileAccept
> # Authenticate against AD with ntlm_auth
> AuthBy AuthNTLM
>
> # check msNPAllowDialin property against AD with LDAP
> AuthBy AuthLDAP
> </AuthBy>
> </Handler>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
