[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008. I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part: Host XXX AuthDN AuthPassword BaseDN cn=Users,dc=XXX,dc=XXX SearchFiltercn=Grupo,cn=SubGrupo (--- I tried within and without this line) ServerChecksPassword UsernameAttr sAMAccountName Version 3 NoDefault Testing ... [user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request... Rejected: Request Denied [user@server ~]$ And finally the log: [user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump: *** Received from 127.0.0.1 port 35641 Code: Access-Request Identifier: 111 Authentic: xxx Attributes: User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234 Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389 Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389 Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP database Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER] Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER] Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such user Tue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such user Tue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such user Tue Jul 12 19:43:06 2011: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 35641 Code: Access-Reject Identifier: 111 Attributes: Reply-Message = "Request Denied" Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Sorry to the previous messages, were sent in html format, and not in plain-text Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008.I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part: Host XXX AuthDN AuthPassword BaseDN cn=Users,dc=XXX,dc=XXX SearchFilter cn=Grupo,cn=SubGrupo (--- I tried within and without this line) ServerChecksPassword UsernameAttr sAMAccountName Version 3 NoDefault Testing ... [user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request...Rejected: Request Denied[user@server ~]$ And finally the log: [user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Received from 127.0.0.1 port 35641 Code: Access-RequestIdentifier: 111Authentic: xxxAttributes:User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP databaseTue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such userTue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such userTue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such userTue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 35641 Code: Access-RejectIdentifier: 111Attributes:Reply-Message = "Request Denied" Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008. I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part:# -- Host XXX AuthDN AuthPassword BaseDN cn=Users,dc=XXX,dc=XXX SearchFilter cn=Grupo,cn=SubGrupo (<--- I tried within and without this line) ServerChecksPassword UsernameAttr sAMAccountName Version 3 NoDefault # -- Testing ... # --[user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request...Rejected: Request Denied[user@server ~]$ # -- And finally the log:# --[user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Received from 127.0.0.1 port 35641 Code: Access-RequestIdentifier: 111Authentic: <131><239><211><29>h<29><223><198>@4<196>qp(<169><235>Attributes: User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321"NAS-Port-Type = Async User-Password = <4><143><222><236><8>1.<0>d<230>!(_<227>+<162> Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP databaseTue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such userTue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such userTue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such userTue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 35641 Code: Access-RejectIdentifier: 111Authentic: :<238><233>=[<22><132>v<202>N<207>d<216>F<224><159>Attributes: Reply-Message = "Request Denied"# -- Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008. I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part:# -- Host XXXAuthDN AuthPasswordBaseDN cn=Users,dc=XXX,dc=XXXSearchFiltercn=Grupo,cn=SubGrupo (<--- I tried within and without this line)ServerChecksPassword UsernameAttr sAMAccountNameVersion 3 NoDefault # -- Testing ... # --[user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request...Rejected: Request Denied[user@server ~]$ # -- And finally the log:# --[user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Received from 127.0.0.1 port 35641 Code: Access-RequestIdentifier: 111Authentic: <131><239><211><29>h<29><223><198>@4<196>qp(<169><235>Attributes: User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321"NAS-Port-Type = Async User-Password = <4><143><222><236><8>1.<0>d<230>!(_<227>+<162> Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP databaseTue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such userTue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such userTue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such userTue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 35641 Code: Access-RejectIdentifier: 111Authentic: :<238><233>=[<22><132>v<202>N<207>d<216>F<224><159>Attributes: Reply-Message = "Request Denied"# -- Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Calling-Station-Id problem
On 07/12/2011 06:57 PM, Fabio Ciampi wrote:
Hello Fabio,
> I attach the new configuration file that I wrote.
> As you can see my configuration file have two different handler. One for
> the outer and one for the inner authentication.
>
> I can use radpwtst with the command:
>
> perl radpwtst -user fa...@test.it -password hello -chap
>
> but, in this way , I test only the handler for the outher
> authentication. As you said it works.
Good to hear it works.
> My problem instead seems to be in the inner authentication that is
> dispatched to the handler:
>
> and I don't know how I can test it with radpwtst.
You can not test it with radpwtst. To test TTLS, PEAP and many other
protocols, please see eapol_test
http://hostap.epitest.fi/wpa_supplicant/devel/testing_tools.html
> The Access-Request messages contain the Calling-Station-Id and
> Called-Station-Id.
> Here is what I got in the log file:
> Tue Jul 12 16:35:19 2011: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "fa...@test.it"
> User-Password = hello<0><0><0><0><0><0><0>
As you can see the inner authentication contains only two attributes. If
you need to log Called- and Calling-Station-Id from the inner request
with AuthLog, use %{OuterRequest:Calling-Station-Id} with SuccessFormat.
With this you can reach back to the outer request and fetch the
attribute value from there.
Try this: MAC-user = "%{OuterRequest:Calling-Station-Id}" %r
See ref.pdf section "5.2 Special characters". The table has more about
%{OuterRequest:name} format
Thanks!
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Calling-Station-Id problem
On 07/11/2011 05:53 PM, Fabio Ciampi wrote:
Hello Fabio
> I have in my radius.cfg file:
>
>
>
> Identifier eduroam-isti-log
> Filename %L/%Y%m%d-isti-auth.log
>
> LogSuccess 1
> LogFailure 1
> SuccessFormat %d/%m/%Y -- %H:%M:%S -- DOMAIN: %R :AUTHENTICATION %r \
> ssid = "eduroam" %r \
> user = "%n" %r \
> NAS = "%N" %r \
> MAC-user = "%{Calling-Station-Id}" AP-wvlan =
> "%{Called-Station-Id}" %r
>
>FailureFormat %d/%m/%Y -- %H:%M:%S -- DOMAIN: %R :FAIL %r \
> user = "%n" password= *** %r \
> NAS = %N:"%{NAS-Identifier}" IP-user = "%{Framed-IP-Address}" %r \
> MAC-user = "%{Calling-Station-Id}" AP-wvlan =
> "%{Called-Station-Id}" ssid = "%{ssid}" %r
>
>
> So I don't get in the isti-auth.log file the Calling-Station-Id
> attribute value.
> How can I solve this problem?
I tried your configuration with radpwtst. Here's what I did:
% ./radpwtst -trace 4 -noacct -password notfred
% ./radpwtst -trace 4 -noacct
The first request failed as it should, and the second was successful as
it should be.
The authlog looked like this:
12/07/2011 -- 15:46:49 -- DOMAIN: :FAIL
user = "mikem" password= ***
NAS = 203.63.154.1:"203.63.154.1" IP-user = ""
MAC-user = "987654321" AP-wvlan = "123456789" ssid = ""
12/07/2011 -- 15:46:52 -- DOMAIN: :AUTHENTICATION
ssid = "eduroam"
user = "mikem"
NAS = "203.63.154.1"
MAC-user = "987654321" AP-wvlan = "123456789"
Attributes radpwtst sends are:
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
bU<218><9><27><241><5><172><135>M<219><26><236><4>U<200>
Your configuration looks correct so you should check you are receiving
Calling-Station-Id and Called-Station-Id in the Access-Request messages.
You could also try testing with radpwtst.
Thanks!
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
