Re: [RADIATOR] Authby LSA and groups not working (redux)
In summary,
- User "nmjoo" is member of the group "ITS-WIRELESS-IOWA".
- Group "ITS-WIRELESS-IOWA" is a member of the group "ITS-WIRELESS"
- User "spong" is member of the group "ITS-WIRELESS"
Then
Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS", "spong") and AuthByLSA
Succeeds
Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS-IOWA", "nmjoo") and AuthByLSA
Succeeds
Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS", "nmjoo") and AuthByLSA Fails
I created a bug (#61838) for the Win32::NetAdmin module on CPAN, but it could
be tricky because you could create a loop with nested groups.
Thanks.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: [email protected]
> -Original Message-
> From: Johnson, Neil M
> Sent: Friday, October 01, 2010 12:42 PM
> To: Johnson, Neil M; Mike McCauley
> Cc: [email protected]
> Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
>
> Actually it's because we have nested groups in the Universal group.
>
> If I use an account that it is in the base group list, it works, but if
> I use an account that it is in a group that is in the Universal group,
> it doesn't work.
>
> Still the solution looks to having to do a LDAP lookup(s).
>
> -Neil
>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: [email protected]
>
>
> > -Original Message-
> > From: Johnson, Neil M
> > Sent: Friday, October 01, 2010 10:02 AM
> > To: Johnson, Neil M; Mike McCauley
> > Cc: [email protected]
> > Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Okay,
> >
> > I think I may have found the issue.
> >
> > The group I'm trying to query is a Active Directory "Universal"
> Group.
> > If I query a "Global" group it works.
> >
> > It appears that Win32::NetAdmin does not support "Universal" Groups
> and
> > that the only solution is to perform an LDAP or ADSI query.
> >
> > -Neil
> >
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: [email protected]
> >
> >
> > > -Original Message-
> > > From: [email protected] [mailto:radiator-
> > > [email protected]] On Behalf Of Johnson, Neil M
> > > Sent: Friday, October 01, 2010 8:46 AM
> > > To: Mike McCauley
> > > Cc: [email protected]
> > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > >
> > > Mike,
> > >
> > > I'm running with my domain account (which has Administrator
> > privileges)
> > > on the server with the "Act as part of the operating system" flag
> > set.
> > >
> > > Authentication works as long as I don't use a "Group" Directive.
> > >
> > > I'm not sure how to proceed in debugging this.
> > >
> > > -Neil
> > >
> > >
> > > --
> > > Neil Johnson
> > > Network Engineer
> > > Information Technology Services
> > > The University of Iowa
> > > Work: 319 384-0938
> > > Mobile: 319 540-2081
> > > Fax: 319 355-2618
> > > E-mail: [email protected]
> > >
> > >
> > > > -Original Message-
> > > > From: Mike McCauley [mailto:[email protected]]
> > > > Sent: Thursday, September 30, 2010 7:03 PM
> > > > To: Johnson, Neil M
> > > > Cc: [email protected]
> > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > > >
> > > > Hello Neil,
> > > >
> > > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > > > > No, I'm running it on a member server.
> > > > >
> > > > > Our AD administrators are very reluctant to run applications on
> > > PDC's
> > > > and
> > > > > BDC's. I can ask but I don't think I will get permission.
> > > > >
> > > > > Will it work on a BDC ?
> > > > >
> >
Re: [RADIATOR] Authby LSA and groups not working (redux)
Actually it's because we have nested groups in the Universal group. If I use an account that it is in the base group list, it works, but if I use an account that it is in a group that is in the Universal group, it doesn't work. Still the solution looks to having to do a LDAP lookup(s). -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: [email protected] > -Original Message- > From: Johnson, Neil M > Sent: Friday, October 01, 2010 10:02 AM > To: Johnson, Neil M; Mike McCauley > Cc: [email protected] > Subject: RE: [RADIATOR] Authby LSA and groups not working (redux) > > Okay, > > I think I may have found the issue. > > The group I'm trying to query is a Active Directory "Universal" Group. > If I query a "Global" group it works. > > It appears that Win32::NetAdmin does not support "Universal" Groups and > that the only solution is to perform an LDAP or ADSI query. > > -Neil > > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: [email protected] > > > > -Original Message- > > From: [email protected] [mailto:radiator- > > [email protected]] On Behalf Of Johnson, Neil M > > Sent: Friday, October 01, 2010 8:46 AM > > To: Mike McCauley > > Cc: [email protected] > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > Mike, > > > > I'm running with my domain account (which has Administrator > privileges) > > on the server with the "Act as part of the operating system" flag > set. > > > > Authentication works as long as I don't use a "Group" Directive. > > > > I'm not sure how to proceed in debugging this. > > > > -Neil > > > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] > > > > > > > -Original Message- > > > From: Mike McCauley [mailto:[email protected]] > > > Sent: Thursday, September 30, 2010 7:03 PM > > > To: Johnson, Neil M > > > Cc: [email protected] > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > > > Hello Neil, > > > > > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > > > > No, I'm running it on a member server. > > > > > > > > Our AD administrators are very reluctant to run applications on > > PDC's > > > and > > > > BDC's. I can ask but I don't think I will get permission. > > > > > > > > Will it work on a BDC ? > > > > > > > > If not, do I have any other options ? Currently I'm using > Radiator > > to > > > proxy > > > > 802.1X requests to Juniper Steel-Belted Radius in order to re- > write > > > VLAN > > > > attributes. I was kind of hoping to eliminate SBR in part to > > simplify > > > > support for Eduroam. > > > > > > Tests here show that it works OK on any domain member provided that > > the > > > user > > > who is running the script is logged in to the domain. > > > > > > Cheers. > > > > > > > > > > > Thanks. > > > > > > > > -Neil > > > > > > > > -- > > > > Neil Johnson > > > > Network Engineer > > > > Information Technology Services > > > > The University of Iowa > > > > Work: 319 384-0938 > > > > Mobile: 319 540-2081 > > > > Fax: 319 355-2618 > > > > E-mail: [email protected] > > > > > > > > > > > > -Original Message- > > > > From: [email protected] [mailto:radiator- > > > [email protected]] On > > > > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 > PM > > > > To: [email protected] > > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > > > > > Hello Neil, > > > > > > > > tests here show that your script (suitably modified) works >
Re: [RADIATOR] Authby LSA and groups not working (redux)
Okay, I think I may have found the issue. The group I'm trying to query is a Active Directory "Universal" Group. If I query a "Global" group it works. It appears that Win32::NetAdmin does not support "Universal" Groups and that the only solution is to perform an LDAP or ADSI query. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: [email protected] > -Original Message- > From: [email protected] [mailto:radiator- > [email protected]] On Behalf Of Johnson, Neil M > Sent: Friday, October 01, 2010 8:46 AM > To: Mike McCauley > Cc: [email protected] > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > Mike, > > I'm running with my domain account (which has Administrator privileges) > on the server with the "Act as part of the operating system" flag set. > > Authentication works as long as I don't use a "Group" Directive. > > I'm not sure how to proceed in debugging this. > > -Neil > > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: [email protected] > > > > -Original Message----- > > From: Mike McCauley [mailto:[email protected]] > > Sent: Thursday, September 30, 2010 7:03 PM > > To: Johnson, Neil M > > Cc: [email protected] > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > Hello Neil, > > > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > > > No, I'm running it on a member server. > > > > > > Our AD administrators are very reluctant to run applications on > PDC's > > and > > > BDC's. I can ask but I don't think I will get permission. > > > > > > Will it work on a BDC ? > > > > > > If not, do I have any other options ? Currently I'm using Radiator > to > > proxy > > > 802.1X requests to Juniper Steel-Belted Radius in order to re-write > > VLAN > > > attributes. I was kind of hoping to eliminate SBR in part to > simplify > > > support for Eduroam. > > > > Tests here show that it works OK on any domain member provided that > the > > user > > who is running the script is logged in to the domain. > > > > Cheers. > > > > > > > > Thanks. > > > > > > -Neil > > > > > > -- > > > Neil Johnson > > > Network Engineer > > > Information Technology Services > > > The University of Iowa > > > Work: 319 384-0938 > > > Mobile: 319 540-2081 > > > Fax: 319 355-2618 > > > E-mail: [email protected] > > > > > > > > > -Original Message- > > > From: [email protected] [mailto:radiator- > > [email protected]] On > > > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM > > > To: [email protected] > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > > > Hello Neil, > > > > > > tests here show that your script (suitably modified) works provided > > you run > > > it on the PDC as the administrator. > > > > > > Is that how you are testing? > > > > > > Cheers. > > > > > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > > > I whipped up a script based on what I could find in the source > code > > to > > > > test group membership and it doesn't seem to matter if the group > is > > local > > > > or global, it can't find it: > > > > > > > > #!c:\perl64\bin\perl.exe > > > > > > > > use strict; > > > > use Win32::NetAdmin; > > > > > > > > my $User = "nmjoo"; > > > > my $Group = "ITS-WIRELESS"; > > > > my $Domain = "IOWA"; > > > > my $Server = ""; > > > > > > > > print "Getting Domain Controller\n"; > > > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); > > > > print "Domain Controller for Domain $Domain is $Server\n"; > > > > > > > > print "Checking to see if user: $User is member of Group: > > $Group\n"; > > > > if ( Win32::NetAdmin::Gr
Re: [RADIATOR] Authby LSA and groups not working (redux)
Mike, I'm running with my domain account (which has Administrator privileges) on the server with the "Act as part of the operating system" flag set. Authentication works as long as I don't use a "Group" Directive. I'm not sure how to proceed in debugging this. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: [email protected] > -Original Message- > From: Mike McCauley [mailto:[email protected]] > Sent: Thursday, September 30, 2010 7:03 PM > To: Johnson, Neil M > Cc: [email protected] > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > Hello Neil, > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > > No, I'm running it on a member server. > > > > Our AD administrators are very reluctant to run applications on PDC's > and > > BDC's. I can ask but I don't think I will get permission. > > > > Will it work on a BDC ? > > > > If not, do I have any other options ? Currently I'm using Radiator to > proxy > > 802.1X requests to Juniper Steel-Belted Radius in order to re-write > VLAN > > attributes. I was kind of hoping to eliminate SBR in part to simplify > > support for Eduroam. > > Tests here show that it works OK on any domain member provided that the > user > who is running the script is logged in to the domain. > > Cheers. > > > > > Thanks. > > > > -Neil > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] > > > > > > -Original Message- > > From: [email protected] [mailto:radiator- > [email protected]] On > > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM > > To: [email protected] > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > Hello Neil, > > > > tests here show that your script (suitably modified) works provided > you run > > it on the PDC as the administrator. > > > > Is that how you are testing? > > > > Cheers. > > > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > > I whipped up a script based on what I could find in the source code > to > > > test group membership and it doesn't seem to matter if the group is > local > > > or global, it can't find it: > > > > > > #!c:\perl64\bin\perl.exe > > > > > > use strict; > > > use Win32::NetAdmin; > > > > > > my $User = "nmjoo"; > > > my $Group = "ITS-WIRELESS"; > > > my $Domain = "IOWA"; > > > my $Server = ""; > > > > > > print "Getting Domain Controller\n"; > > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); > > > print "Domain Controller for Domain $Domain is $Server\n"; > > > > > > print "Checking to see if user: $User is member of Group: > $Group\n"; > > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) > > > > > > || Win32::NetAdmin::LocalGroupIsMember($Server, > $Group, > > > || $User)) { > > > > > > print "$User is Member of group $Group"; > > > } > > > else { > > > print "$User is not Member of group $Group"; > > > } > > > > > > Output: > > > > > > C:\Program Files\Radiator>test2.pl > > > Getting Domain Controller > > > Domain Controller for Domain IOWA is \\IOWADC1 > > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS > > > nmjoo is not Member of group ITS-WIRELESS > > > C:\Program Files\Radiator> > > > -- > > > Neil Johnson > > > Network Engineer > > > Information Technology Services > > > The University of Iowa > > > Work: 319 384-0938 > > > Mobile: 319 540-2081 > > > Fax: 319 355-2618 > > > E-mail: [email protected] > > > > -- > Mike McCauley [email protected] > Open System Consultants Pty. Ltd > 9 Bulbul Place Currumbin Waters QLD 4223 Australia > http://www.open.com.au > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. ___ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authby LSA and groups not working (redux)
Mark, Thanks for the tip, I can get AuthbyLSA to work for me unless I try to test for Group Membership which I need to do in order to assign users to a specific VLAN. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: [email protected] > -Original Message- > From: Pearson, Mark [mailto:[email protected]] > Sent: Friday, October 01, 2010 4:13 AM > To: Mike McCauley; Johnson, Neil M > Cc: [email protected] > Subject: RE: [RADIATOR] Authby LSA and groups not working (redux) > > Hi, I have it working by running Radiator on a server in the domain. > Note that you need 4.7 to use the magic bit > UsernameMatchesWithoutRealm. > Nothing is needed on the actual DCs regarding Radiator in our case. > > > > ### The next line strips the @realm portion to allow AD to authenticate > against it > UsernameMatchesWithoutRealm > EAPType MSCHAP-V2 > > > > ### This is the outer request where [email protected] are captured > > > > Filename %D/users > > ### This tells the PEAP client what types of inner EAP requests we will > honour > EAPType PEAP, TTLS > EAPTLS_CAFile %D/certificates/terenasslca.pem > EAPTLS_CertificateFile %D/certificates/final-cert.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/mykey.pem > EAPTLS_PrivateKeyPassword > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > SSLeayTrace 4 > EAPTLS_PEAPVersion 0 > > ### Added EAPAnonymous %{User-Name} to the outer AuthBy > ### This will send the outer username as the inner username > ### (instead of "anonymous") > > EAPAnonymous %{User-Name} > > > > > > regards > Mark Pearson > Senior Technical Support Analyst > Information Systems > Nottingham Trent University > > tel: 0115 8488287 > > -Original Message- > From: [email protected] [mailto:radiator- > [email protected]] > On Behalf Of Mike McCauley > Sent: 01 October 2010 01:03 > To: Johnson, Neil M > Cc: [email protected] > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > Hello Neil, > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > > No, I'm running it on a member server. > > > > Our AD administrators are very reluctant to run applications on PDC's > > and BDC's. I can ask but I don't think I will get permission. > > > > Will it work on a BDC ? > > > > If not, do I have any other options ? Currently I'm using Radiator to > > proxy 802.1X requests to Juniper Steel-Belted Radius in order to > > re-write VLAN attributes. I was kind of hoping to eliminate SBR in > > part to simplify support for Eduroam. > > Tests here show that it works OK on any domain member provided that the > user who is running the script is logged in to the domain. > > Cheers. > > > > > Thanks. > > > > -Neil > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] > > > > > > -Original Message- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Mike McCauley > Sent: > > > Wednesday, September 29, 2010 9:22 PM > > To: [email protected] > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > > > Hello Neil, > > > > tests here show that your script (suitably modified) works provided > > you run it on the PDC as the administrator. > > > > Is that how you are testing? > > > > Cheers. > > > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > > I whipped up a script based on what I could find in the source code > > > to test group membership and it doesn't seem to matter if the group > > > is local or global, it can't find it: > > > > > > #!c:\perl64\bin\perl.exe > > > > > > use strict; > > > use Win32::NetAdmin; > > > > > > my $User = "nmjoo"; > > > my $Group = "ITS-WIRELESS"; > > > my $Domain = "IOWA"; > > > my $Server = ""; > > > > > > print "Getting Domain Controller\n"; > > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print > > > "Domain Controller for Domain $Dom
Re: [RADIATOR] Authby LSA and groups not working (redux)
Hi, I have it working by running Radiator on a server in the domain. Note that you need 4.7 to use the magic bit UsernameMatchesWithoutRealm. Nothing is needed on the actual DCs regarding Radiator in our case. ### The next line strips the @realm portion to allow AD to authenticate against it UsernameMatchesWithoutRealm EAPType MSCHAP-V2 ### This is the outer request where [email protected] are captured Filename %D/users ### This tells the PEAP client what types of inner EAP requests we will honour EAPType PEAP, TTLS EAPTLS_CAFile %D/certificates/terenasslca.pem EAPTLS_CertificateFile %D/certificates/final-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/mykey.pem EAPTLS_PrivateKeyPassword EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 4 EAPTLS_PEAPVersion 0 ### Added EAPAnonymous %{User-Name} to the outer AuthBy ### This will send the outer username as the inner username ### (instead of "anonymous") EAPAnonymous %{User-Name} regards Mark Pearson Senior Technical Support Analyst Information Systems Nottingham Trent University tel: 0115 8488287 -Original Message- From: [email protected] [mailto:[email protected]] On Behalf Of Mike McCauley Sent: 01 October 2010 01:03 To: Johnson, Neil M Cc: [email protected] Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) Hello Neil, On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > No, I'm running it on a member server. > > Our AD administrators are very reluctant to run applications on PDC's > and BDC's. I can ask but I don't think I will get permission. > > Will it work on a BDC ? > > If not, do I have any other options ? Currently I'm using Radiator to > proxy 802.1X requests to Juniper Steel-Belted Radius in order to > re-write VLAN attributes. I was kind of hoping to eliminate SBR in > part to simplify support for Eduroam. Tests here show that it works OK on any domain member provided that the user who is running the script is logged in to the domain. Cheers. > > Thanks. > > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: [email protected] > > > -Original Message- > From: [email protected] > [mailto:[email protected]] On Behalf Of Mike McCauley Sent: > Wednesday, September 29, 2010 9:22 PM > To: [email protected] > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > Hello Neil, > > tests here show that your script (suitably modified) works provided > you run it on the PDC as the administrator. > > Is that how you are testing? > > Cheers. > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > I whipped up a script based on what I could find in the source code > > to test group membership and it doesn't seem to matter if the group > > is local or global, it can't find it: > > > > #!c:\perl64\bin\perl.exe > > > > use strict; > > use Win32::NetAdmin; > > > > my $User = "nmjoo"; > > my $Group = "ITS-WIRELESS"; > > my $Domain = "IOWA"; > > my $Server = ""; > > > > print "Getting Domain Controller\n"; > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print > > "Domain Controller for Domain $Domain is $Server\n"; > > > > print "Checking to see if user: $User is member of Group: $Group\n"; > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) > > > > || Win32::NetAdmin::LocalGroupIsMember($Server, $Group, > > || $User)) { > > > > print "$User is Member of group $Group"; } else { > > print "$User is not Member of group $Group"; } > > > > Output: > > > > C:\Program Files\Radiator>test2.pl > > Getting Domain Controller > > Domain Controller for Domain IOWA is \\IOWADC1 > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS > > nmjoo is not Member of group ITS-WIRELESS > > C:\Program Files\Radiator> > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.
Re: [RADIATOR] Authby LSA and groups not working (redux)
Hello Neil, On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: > No, I'm running it on a member server. > > Our AD administrators are very reluctant to run applications on PDC's and > BDC's. I can ask but I don't think I will get permission. > > Will it work on a BDC ? > > If not, do I have any other options ? Currently I'm using Radiator to proxy > 802.1X requests to Juniper Steel-Belted Radius in order to re-write VLAN > attributes. I was kind of hoping to eliminate SBR in part to simplify > support for Eduroam. Tests here show that it works OK on any domain member provided that the user who is running the script is logged in to the domain. Cheers. > > Thanks. > > -Neil > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: [email protected] > > > -Original Message- > From: [email protected] [mailto:[email protected]] On > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM > To: [email protected] > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) > > Hello Neil, > > tests here show that your script (suitably modified) works provided you run > it on the PDC as the administrator. > > Is that how you are testing? > > Cheers. > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > > I whipped up a script based on what I could find in the source code to > > test group membership and it doesn't seem to matter if the group is local > > or global, it can't find it: > > > > #!c:\perl64\bin\perl.exe > > > > use strict; > > use Win32::NetAdmin; > > > > my $User = "nmjoo"; > > my $Group = "ITS-WIRELESS"; > > my $Domain = "IOWA"; > > my $Server = ""; > > > > print "Getting Domain Controller\n"; > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); > > print "Domain Controller for Domain $Domain is $Server\n"; > > > > print "Checking to see if user: $User is member of Group: $Group\n"; > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) > > > > || Win32::NetAdmin::LocalGroupIsMember($Server, $Group, > > || $User)) { > > > > print "$User is Member of group $Group"; > > } > > else { > > print "$User is not Member of group $Group"; > > } > > > > Output: > > > > C:\Program Files\Radiator>test2.pl > > Getting Domain Controller > > Domain Controller for Domain IOWA is \\IOWADC1 > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS > > nmjoo is not Member of group ITS-WIRELESS > > C:\Program Files\Radiator> > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > Work: 319 384-0938 > > Mobile: 319 540-2081 > > Fax: 319 355-2618 > > E-mail: [email protected] -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authby LSA and groups not working (redux)
No, I'm running it on a member server. Our AD administrators are very reluctant to run applications on PDC's and BDC's. I can ask but I don't think I will get permission. Will it work on a BDC ? If not, do I have any other options ? Currently I'm using Radiator to proxy 802.1X requests to Juniper Steel-Belted Radius in order to re-write VLAN attributes. I was kind of hoping to eliminate SBR in part to simplify support for Eduroam. Thanks. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: [email protected] -Original Message- From: [email protected] [mailto:[email protected]] On Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM To: [email protected] Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) Hello Neil, tests here show that your script (suitably modified) works provided you run it on the PDC as the administrator. Is that how you are testing? Cheers. On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: > I whipped up a script based on what I could find in the source code to test > group membership and it doesn't seem to matter if the group is local or > global, it can't find it: > > #!c:\perl64\bin\perl.exe > > use strict; > use Win32::NetAdmin; > > my $User = "nmjoo"; > my $Group = "ITS-WIRELESS"; > my $Domain = "IOWA"; > my $Server = ""; > > print "Getting Domain Controller\n"; > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); > print "Domain Controller for Domain $Domain is $Server\n"; > > print "Checking to see if user: $User is member of Group: $Group\n"; > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) > > || Win32::NetAdmin::LocalGroupIsMember($Server, $Group, > || $User)) { > > print "$User is Member of group $Group"; > } > else { > print "$User is not Member of group $Group"; > } > > Output: > > C:\Program Files\Radiator>test2.pl > Getting Domain Controller > Domain Controller for Domain IOWA is \\IOWADC1 > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS > nmjoo is not Member of group ITS-WIRELESS > C:\Program Files\Radiator> > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > Work: 319 384-0938 > Mobile: 319 540-2081 > Fax: 319 355-2618 > E-mail: [email protected] -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authby LSA and groups not working (redux)
Hello Neil,
tests here show that your script (suitably modified) works provided you run it
on the PDC as the administrator.
Is that how you are testing?
Cheers.
On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> I whipped up a script based on what I could find in the source code to test
> group membership and it doesn't seem to matter if the group is local or
> global, it can't find it:
>
> #!c:\perl64\bin\perl.exe
>
> use strict;
> use Win32::NetAdmin;
>
> my $User = "nmjoo";
> my $Group = "ITS-WIRELESS";
> my $Domain = "IOWA";
> my $Server = "";
>
> print "Getting Domain Controller\n";
> Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> print "Domain Controller for Domain $Domain is $Server\n";
>
> print "Checking to see if user: $User is member of Group: $Group\n";
> if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
>
> || Win32::NetAdmin::LocalGroupIsMember($Server, $Group,
> || $User)) {
>
> print "$User is Member of group $Group";
> }
> else {
> print "$User is not Member of group $Group";
> }
>
> Output:
>
> C:\Program Files\Radiator>test2.pl
> Getting Domain Controller
> Domain Controller for Domain IOWA is \\IOWADC1
> Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> nmjoo is not Member of group ITS-WIRELESS
> C:\Program Files\Radiator>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: [email protected]
--
Mike McCauley [email protected]
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
