I am not able to determine when using the %P variable, it does not pass the user password into the LDAP authentication. We are attempting to terminate the PEAP/EAP on our wireless controllers (Aruba) and pass the username and password to Radiator for authentication as this only requires a single common certificate to be presented to the clients, unless Radiator does not have an issue reusing certs on different servers? When I set the password in the config file statically, I receive an access-accept reply, however, when I attempt to use the %P parameter, the password is never included in the authentication. Suggestions would be appreciated....I have stripped the config down for testing purposes. |
logfile
Description: Binary data
#Tubuluar.vm.its.uwo.ca # # eap_multi.cfg # # This config supports EAP-TTLS and EAP-PEAP proxied from an external Radius server # Foreground 1 #LogStdout 1 LogDir c:/program files/radiator DbDir c:/program files/radiator
AuthPort 1645,1812 AcctPort 1646,1813 # User a lower trace level in production systems: #Trace 3 Trace 7 # IMPORTANT => convert user name to lower case to ensure match on uwo.ca realm in handler match criteria UsernameCharset a-zA-Z0-9\\\\\._@- RewriteUsername tr/A-Z/a-z/ # UwoLDAP is used to authenticate the inner TTLS credentials and outer PEAP credentials against LDAP # Note requires TTLS and PEAP support # Both userid and password are checking for inner TTLS requests # Only the userid is checked for for outer PEAP requests <AuthBy LDAP2> Log errorLogger Identifier UwoLDAP-LB EAPType MSCHAP-V2 NoDefault # Tell Radiator how to talk to the LDAP server Host auth.uwo.ca AuthDN uid=%U,ou=people,o=uwo.ca,dc=its AuthPassword %P # Add role from LDAP to the request via the AuthAttrDef AuthAttrDef description,Role,request AuthAttrDef loginShell,Shell,request AuthAttrDef uwoid,Uid,request BaseDN o=uwo.ca,dc=its UsernameAttr uid PasswordAttr AddToReply Reply-Message="STF" Timeout 10 </AuthBy> # Handlers are processed sequentially - and first match applies <Handler Request-Type = Accounting-Request> Log errorLogger AuthBy AccountingResponse PostAuthHook file:"%D/accounting.hook" </Handler> #================================================================ # Test Handler # Handles both authenication checks and logging as mac is available. # <Handler> AuthBy UwoLDAP </Handler>
Thanks MH |
<<inline: western-logo-sm2.gif>>
Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: [email protected] <mailto:[email protected]> |
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
