On 05/17/2012 11:45 PM, Michael Hulko wrote: Hello Michael,
> I am not able to determine when using the %P variable, it does not > pass the user password into the LDAP authentication. There are a couple of things causing problems for you. First: I would consider changing the LDAP configuration a little. Either leave AuthDN and AuthPassword unset or use a special DN and password that are created for Radiator. In both cases you should also use ServerChecksPassword if there is no plaintext or encrypted password available from LDAP. However, before you change any of this, please read about the second problem. > We are attempting to terminate the PEAP/EAP on our wireless controllers > (Aruba) and pass the username and password to Radiator for > authentication as this only requires a single common certificate to be > presented to the clients, unless Radiator does not have an issue reusing > certs on different servers? The second problem is there is no password available in PEAP/EAP-MSCHAP-V2 authentication because MSCHAP-V2 does not send a password but uses challenge/response calculated based on the password. So even if you terminate PEAP/EAP-MSCHAP-V2 with controller, the controller can not create a RADIUS Access-Request with a User-Password attribute. For this reason Radiator can not put anything in %P. Also, binding to LDAP as user can not be used, since the password is not available. Binding to LDAP as user with the user's password works with EAP-TTLS/PAP, but for PEAP and other TTLS inner protocols you would need something like described below: access to password or nthashed password. For PEAP/EAP-MSCHAP-V2 you would need to have the passwords in plain text or NTHASH hashed format. These both work with MSCHAP-V2. Radiator would then fetch the plaintext or nthashed attribute from LDAP and run MSCHAP-V2 for authentication. You can configure Radiator to use the same certificate on different machines. When e.g., Radiators are duplicated, multiple servers share the same certificate so that clients do not need confused about different names in certificates. > When I set the password in the config file statically, I receive an > access-accept reply, however, when I attempt to use the %P parameter, > the password is never included in the authentication. > > Suggestions would be appreciated....I have stripped the config down for > testing purposes. In summary: if you need to support MSCHAP-V2 in some form, you need to have nthashed (or plain text) password attributes in LDAP. When running Radiator on Windows, you can use AuthBy LSA for authentication if the LDAP really is AD. In this case you can use AuthBy LDAP2 to fetch any required check and reply attributes from AD while letting LSA do the authentication. Thanks! Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
