Hello Mauro -
You are correct, you will need to use plaintext passwords with LEAP.
regards
Hugh
On Wednesday, Jul 16, 2003, at 19:04 Australia/Melbourne, ZAGO, Mauro wrote:
Dear all,
I am trying to configure Radiator as radius server for a Cisco Aironet 340.
My userlist is on an OpenLDAP server.
It seams that Radiator is unable to interpret SHA password that come from LDAP in conjunction with "EAPType LEAP"!!!!
SHA password is correctly interpreted when I use another Handler (without EAPType LEAP).
Plaintext passwords are allways working!
Radius.cfg: <Client 192.168.xxx.xxx> Secret mysecret DupInterval 0 DefaultRealm wireless.realm </Client> # # Not working Handler # <Handler Realm=wireless.realm> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthByPolicy ContinueWhileReject <AuthBy LDAP2> Host ldap.mydomain.com Port 389 BaseDN dc=mydomain,dc=com UsernameAttr uid PasswordAttr userPassword ServerChecksPassword EAPType LEAP </AuthBy> </Handler>
#
# Working Handler (for other clients - Cisco Access Point)
#
<Handler>
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
AuthByPolicy ContinueWhileReject
MaxSessions 2
<AuthBy SQL>
DBSo dce dbi:mysql:xxxxx:localhost
DBUsername xxxxx
DBAuth xxxxxxxxxx
AuthSelect select password, profile, freezed from dbo_userlist where name='%n'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, cisco-avpair, reply
AuthColumnDef 2, Prohibit, check
AddToReply Service-Type=Framed-User,Framed-Protocol=PPP,Framed-IP- Netmask=255.255.255.0,Framed-Compression=Van-Jacobson-
TCP-IP,Framed-MTU=1500,cisco-avpair="ip:dns-servers=193.205.206.23 193.205.195.12",Framed-Routing=None
AccountingTable ACCOUNTING
AcctColumnDef .....
AcctColumnDef .....
.....
</AuthBy>
<AuthBy LDAP2>
Host ldap.mydomain.com
Port 389
AuthDN cn=Manager,dc=maydomain,dc=com
AuthPassword xxxxxxxx
BaseDN dc=mydomain,dc=it
UsernameAttr uid
PasswordAttr userPassword
HoldServerConnection
AddToReply ..........
</AuthBy>
</Handler>
Logfile:
# When is used "wireless.realm"
....
Wed Jul 16 10:18:35 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jul 16 10:18:35 2003: DEBUG: Handling with EAP: code 2, 48, 42
Wed Jul 16 10:18:35 2003: DEBUG: Response type 17
Wed Jul 16 10:18:35 2003: INFO: Connecting to ldap.mydomain.com, port 389
Wed Jul 16 10:18:35 2003: INFO: Attempting to bind to LDAP server ldap.mydomain.com:389)
Wed Jul 16 10:18:36 2003: DEBUG: LDAP got result for cn=Surname Name,ou=unit1,dc=mydomain,dc=com
....
Wed Jul 16 10:18:36 2003: DEBUG: LDAP got userPassword: {SHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Wed Jul 16 10:18:36 2003: DEBUG: Radius::AuthLDAP2 looks for match with name.surname
Wed Jul 16 10:18:36 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jul 16 10:18:36 2003: INFO: Access rejected for name.surname: Bad LEAP Password
....
# When is used default Handler (Access point Cisco - client of this realm)
.....
Mon Jul 14 14:29:50 2003: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jul 14 14:29:50 2003: INFO: Connecting to ldap.mydomain.com, port 389
Mon Jul 14 14:29:50 2003: INFO: Attempting to bind to LDAP server ldap.mydomain.com:389)
Mon Jul 14 14:29:50 2003: DEBUG: LDAP got result for cn=Surname Name,ou=unit1,dc=mydomain,dc=com
Mon Jul 14 14:29:50 2003: DEBUG: LDAP got userPassword: {SHA}xxxxxxxxxxxxxxxxxxxxxxxxxxx
Mon Jul 14 14:29:50 2003: DEBUG: Radius::AuthLDAP2 looks for match with name.surname
Mon Jul 14 14:29:50 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Jul 14 14:29:50 2003: DEBUG: Access accepted for name.surname
.....
Thanks in advance for all your responses.
PS: sorry for my orrible english
******************************** Mauro Zago
Università degli Studi di Trento ATI Network Via Briamasco, 2 38100 - Trento - Italia
*********************************
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
