[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008. I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part: Host XXX AuthDN AuthPassword BaseDN cn=Users,dc=XXX,dc=XXX SearchFiltercn=Grupo,cn=SubGrupo (--- I tried within and without this line) ServerChecksPassword UsernameAttr sAMAccountName Version 3 NoDefault Testing ... [user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request... Rejected: Request Denied [user@server ~]$ And finally the log: [user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump: *** Received from 127.0.0.1 port 35641 Code: Access-Request Identifier: 111 Authentic: xxx Attributes: User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234 Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389 Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389 Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP database Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER] Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER] Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such user Tue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such user Tue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such user Tue Jul 12 19:43:06 2011: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 35641 Code: Access-Reject Identifier: 111 Attributes: Reply-Message = "Request Denied" Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Sorry to the previous messages, were sent in html format, and not in plain-text Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008.I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part: Host XXX AuthDN AuthPassword BaseDN cn=Users,dc=XXX,dc=XXX SearchFilter cn=Grupo,cn=SubGrupo (--- I tried within and without this line) ServerChecksPassword UsernameAttr sAMAccountName Version 3 NoDefault Testing ... [user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request...Rejected: Request Denied[user@server ~]$ And finally the log: [user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Received from 127.0.0.1 port 35641 Code: Access-RequestIdentifier: 111Authentic: xxxAttributes:User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP databaseTue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such userTue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such userTue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such userTue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 35641 Code: Access-RejectIdentifier: 111Attributes:Reply-Message = "Request Denied" Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008. I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part:# -- Host XXX AuthDN AuthPassword BaseDN cn=Users,dc=XXX,dc=XXX SearchFilter cn=Grupo,cn=SubGrupo (<--- I tried within and without this line) ServerChecksPassword UsernameAttr sAMAccountName Version 3 NoDefault # -- Testing ... # --[user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request...Rejected: Request Denied[user@server ~]$ # -- And finally the log:# --[user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Received from 127.0.0.1 port 35641 Code: Access-RequestIdentifier: 111Authentic: <131><239><211><29>h<29><223><198>@4<196>qp(<169><235>Attributes: User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321"NAS-Port-Type = Async User-Password = <4><143><222><236><8>1.<0>d<230>!(_<227>+<162> Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP databaseTue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such userTue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such userTue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such userTue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 35641 Code: Access-RejectIdentifier: 111Authentic: :<238><233>=[<22><132>v<202>N<207>d<216>F<224><159>Attributes: Reply-Message = "Request Denied"# -- Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Auth by LDAP Since Linux to Windows Server 2008
Hello to all, I am evaluating Radiator and I am trying to authenticate since a Linux Box to LDAP in a Windows Server 2008. I could connect to LDAP with AuthDN and AuthPassword, but I couldn't authenticate users. This is the configuration part:# -- Host XXXAuthDN AuthPasswordBaseDN cn=Users,dc=XXX,dc=XXXSearchFiltercn=Grupo,cn=SubGrupo (<--- I tried within and without this line)ServerChecksPassword UsernameAttr sAMAccountNameVersion 3 NoDefault # -- Testing ... # --[user@server ~]$ /usr/bin/radpwtst -user USER -password PASS --noacct -auth_port 1812 sending Access-Request...Rejected: Request Denied[user@server ~]$ # -- And finally the log:# --[user@server ~]# Tue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Received from 127.0.0.1 port 35641 Code: Access-RequestIdentifier: 111Authentic: <131><239><211><29>h<29><223><198>@4<196>qp(<169><235>Attributes: User-Name = "USER" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321"NAS-Port-Type = Async User-Password = <4><143><222><236><8>1.<0>d<230>!(_<227>+<162> Tue Jul 12 19:43:06 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''Tue Jul 12 19:43:06 2011: DEBUG: Deleting session for USER, 203.63.154.1, 1234Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthGROUP: Tue Jul 12 19:43:06 2011: DEBUG: Handling with Radius::AuthLDAP2: Tue Jul 12 19:43:06 2011: INFO: Connecting to ldap:389Tue Jul 12 19:43:06 2011: INFO: Attempting to bind to LDAP server ldap:389Tue Jul 12 19:43:06 2011: DEBUG: No entries for dvalencia found in LDAP databaseTue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 looks for match with USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user: USER [USER]Tue Jul 12 19:43:06 2011: DEBUG: Radius::AuthGROUP: result: REJECT, No such userTue Jul 12 19:43:06 2011: DEBUG: AuthBy GROUP result: REJECT, No such userTue Jul 12 19:43:06 2011: INFO: Access rejected for USER: No such userTue Jul 12 19:43:06 2011: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 35641 Code: Access-RejectIdentifier: 111Authentic: :<238><233>=[<22><132>v<202>N<207>d<216>F<224><159>Attributes: Reply-Message = "Request Denied"# -- Please somebody tellme what I am doing wrong or what I am missing in order to connect from radiator in linux to ldap in ms-windows server 2008 Rgds, -- js ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Calling-Station-Id problem
On 07/12/2011 06:57 PM, Fabio Ciampi wrote: Hello Fabio, > I attach the new configuration file that I wrote. > As you can see my configuration file have two different handler. One for > the outer and one for the inner authentication. > > I can use radpwtst with the command: > > perl radpwtst -user fa...@test.it -password hello -chap > > but, in this way , I test only the handler for the outher > authentication. As you said it works. Good to hear it works. > My problem instead seems to be in the inner authentication that is > dispatched to the handler: > > and I don't know how I can test it with radpwtst. You can not test it with radpwtst. To test TTLS, PEAP and many other protocols, please see eapol_test http://hostap.epitest.fi/wpa_supplicant/devel/testing_tools.html > The Access-Request messages contain the Calling-Station-Id and > Called-Station-Id. > Here is what I got in the log file: > Tue Jul 12 16:35:19 2011: DEBUG: TTLS Tunnelled Diameter Packet dump: > Code: UNDEF > Identifier: UNDEF > Authentic: UNDEF > Attributes: > User-Name = "fa...@test.it" > User-Password = hello<0><0><0><0><0><0><0> As you can see the inner authentication contains only two attributes. If you need to log Called- and Calling-Station-Id from the inner request with AuthLog, use %{OuterRequest:Calling-Station-Id} with SuccessFormat. With this you can reach back to the outer request and fetch the attribute value from there. Try this: MAC-user = "%{OuterRequest:Calling-Station-Id}" %r See ref.pdf section "5.2 Special characters". The table has more about %{OuterRequest:name} format Thanks! Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Calling-Station-Id problem
On 07/11/2011 05:53 PM, Fabio Ciampi wrote: Hello Fabio > I have in my radius.cfg file: > > > > Identifier eduroam-isti-log > Filename %L/%Y%m%d-isti-auth.log > > LogSuccess 1 > LogFailure 1 > SuccessFormat %d/%m/%Y -- %H:%M:%S -- DOMAIN: %R :AUTHENTICATION %r \ > ssid = "eduroam" %r \ > user = "%n" %r \ > NAS = "%N" %r \ > MAC-user = "%{Calling-Station-Id}" AP-wvlan = > "%{Called-Station-Id}" %r > >FailureFormat %d/%m/%Y -- %H:%M:%S -- DOMAIN: %R :FAIL %r \ > user = "%n" password= *** %r \ > NAS = %N:"%{NAS-Identifier}" IP-user = "%{Framed-IP-Address}" %r \ > MAC-user = "%{Calling-Station-Id}" AP-wvlan = > "%{Called-Station-Id}" ssid = "%{ssid}" %r > > > So I don't get in the isti-auth.log file the Calling-Station-Id > attribute value. > How can I solve this problem? I tried your configuration with radpwtst. Here's what I did: % ./radpwtst -trace 4 -noacct -password notfred % ./radpwtst -trace 4 -noacct The first request failed as it should, and the second was successful as it should be. The authlog looked like this: 12/07/2011 -- 15:46:49 -- DOMAIN: :FAIL user = "mikem" password= *** NAS = 203.63.154.1:"203.63.154.1" IP-user = "" MAC-user = "987654321" AP-wvlan = "123456789" ssid = "" 12/07/2011 -- 15:46:52 -- DOMAIN: :AUTHENTICATION ssid = "eduroam" user = "mikem" NAS = "203.63.154.1" MAC-user = "987654321" AP-wvlan = "123456789" Attributes radpwtst sends are: Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = "203.63.154.1" NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = bU<218><9><27><241><5><172><135>M<219><26><236><4>U<200> Your configuration looks correct so you should check you are receiving Calling-Station-Id and Called-Station-Id in the Access-Request messages. You could also try testing with radpwtst. Thanks! -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator