Thanks for the reply, I have used CA-file from the certificate hierarchy, I have my own cacert.pem I have not used the radiator cacert.pem through this cacert.pem I generated the admin.crt and admin.key file. This cacert.pem is used to start LDAP server and also radius server to authenticate the LDAP users.
waiting for your inputs. Regards Pramod Kulkarni ABB Global Industries and Services Limited Whitefield Road Block 1 560048, Bangalore, Karnataka, INDIA Phone: +91 80 67579950 Mobile: +919663733663 email: pramod.kulka...@in.abb.com From: Pramod Kulkarni/INCRC/ABB To: Sami Keski-Kasari <sam...@open.com.au> Date: 04/30/2013 01:03 PM Subject: Re: [RADIATOR] Radiator evaluation-Authenticate and Authorize LDAP users using SASL EXTERNAL bind to network switch Thanks for the reply, I have used CA-file from the certificate hierarchy, I have my own cacert.pem I have not used the radiator cacert.pem through this cacert.pem I generated the admin.crt and admin.key file. This cacert.pem is used to start LDAP server and also radius server to authenticate the LDAP users. waiting for your inputs. Regards Pramod Kulkarni ABB Global Industries and Services Limited Whitefield Road Block 1 560048, Bangalore, Karnataka, INDIA Phone: +91 80 67579950 Mobile: +919663733663 email: pramod.kulka...@in.abb.com From: Sami Keski-Kasari <sam...@open.com.au> To: Pramod Kulkarni/INCRC/ABB@ABB Cc: radiator@open.com.au Date: 04/30/2013 12:46 PM Subject: Re: [RADIATOR] Radiator evaluation-Authenticate and Authorize LDAP users using SASL EXTERNAL bind to network switch Hello Pramod, I think that problem is in your certificate settings. You have: SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt SSLCAClientKey C:/Radiator/ldapcertificates/admin.key So you seems to have your own host certificates for your radius server. But then you have this: SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem Which seems to me that you are using ca-file that comes with radiator. You have to use CA-file from your certificate hierarchy. Thanks, Sami 30.04.2013 09:38, Pramod Kulkarni kirjoitti: Hello, I wanted to know how do u do SASL EXTERNAL binding for LDAP server through radiator for a network switch I have added the SSLclient ceritificate and SSLCA certificate in radiator path. Below are the further details of the radiator configurations radius.cfg <Client DEFAULT> Secret mysecret DupInterval 0 </Client> # Authenticate all realms with this # Authenticate all realms with this <Realm DEFAULT> <AuthBy LDAP2> # Tell Radiator how to talk to the LDAP server Host localhost # Tell the LDAP server to authenticate the LDAP bind # with SASL: UseSASL # When you are using SASL authentication to connect to # the LDAP server, Radiator will # use AuthDN and AuthPassword to authenticate using # SASL instead of the default simple authentication. # In this example, we have # configured a SASL user called mikem into the SASL # user database using saslpasswd2. In order for # openldap to map the SASL user 'mikem' to the same # priveleges as the LDAP manager (and hence have # access to protected password fields etc), you would need # something like this in your OpenLDAP configuration # (typically /etc/openldap/slapd.conf): #AuthDN uid=admin,ou=Users,dc=vmbox,dc=int #AuthPassword admin # You can also control which SASL mechanisms are # acceptable for SASL authentication. SASLMechanism is # a space separated list of mechanism names supported # by Authen::SASL, such as ANONYMOUS CRAM-MD5 # DIGEST-MD5 EXTERNAL LOGIN PLAIN. # Defaults to DIGEST-MD5. If you change this you may # need to change your SASL->LDAP user mapping SASLMechanism EXTERNAL # This the top of the search tree where users # will be found. It should match the configuration # of your server, see /etc/openldap/slapd.conf BaseDN dc=vmbox, dc=int # This is the LDAP attribute to match the radius user name UsernameAttr cn # If you dont specify ServerChecksPassword, you # need to tell Radiator which attribute in the LDAP # database contains # the users correct password. It can be plaintext or encrypted PasswordAttr userPassword # This tells AuthBy LDAP2 not to check the users password, # ie that LDAP is just used to store check or reply items # and the authentication happens elsewhere # Requires latest patches to Radiator 3.11 #NoCheckPassword # On some (most?) LDAP servers, you can tell AuthBy # LDAP to keep the connection to the server up for as # long as possible, and not close it after each # authentication. This can improve performance, # especially where UseTLS or USeSSL are in # operation. Not all server can support this, so if you # enable it and things dont work right: disable it # again. HoldServerConnection # You can use CheckAttr, ReplyAttr and AuthAttrDef # to specify check and reply attributes in the LDAP # database. See the reference manual for more # information #AuthAttrDef ipaddress,Framed-IP-Address,reply # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply AddToReply Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP # You can enable debugging of the Net::LDAP # module with this, which will dump LDAP requests # sent to and from the LDAP server Debug 255 # With LDAP2 and perl-ldap 0.22 and better on Unix/Linux, You can enable SSL or TLS. # See http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html # for assistance on how to generate certificates and # configure openldap for SSL and/or TLS # To use SSL, set these #UseSSL #SSLCAClientCert C:/Program Files/Radiator/ldapcertificates/admin.pem #SSLCAClientKey C:/Program Files/Radiator/ldapcertificates/admin.pem # and one of #SSLCAFile C:/Program Files/Radiator/ldapcertificates/demoCA/cacert.pem # SSLCAPath /path/to/file/containing/certificate/of/CA # (certificates must be in PEM format) # To use TLS, set these UseTLS SSLVerify optional SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt SSLCAClientKey C:/Radiator/ldapcertificates/admin.key # and one of SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem #SSLCAPath C:/Program Files/Radiator/ldapcertificates/ # (certificates must be in PEM format) # These set the corresponding parameters in the # LDAPS connection (see perl-ldap docs) # Requires IO::Socket::SSL, Net::SSLeay and openssl # You can control the timout for connection failure, # plus the backoff time after failure. Timout defaults # to 10 secs and FailureBackoffTime to 10 mins #Timeout 2 # FailureBackoffTime 10 # With PostSearchHook you can do your own processing # of the LDAP data. # Arg 0 is the AuthBy LDAP object # Arg 1 is the user name being authenticated # Arg 2 is the received request packet # Arg 3 is the user object holding check and reply # items for this user # Arg 4 is the search results handle, whose type # depends on whether its LDAP, LDAP2, or LDAPSDK #PostSearchHook sub {print "PostSearchHook @_\n";\ # my $attr = $_[4]->get('someldapattr');\ # print "get attribute $attr\n";} # You can control the LDAP protocol version to be used # to talk to the LDAP server. OpenLDAP 2 requires # Version 3 unless you have 'allow bind_v2' in your # slapd.conf. Defaults to version 2 Version 3 # You can specify the maximum number of LDAP records # that match the search that will be used for # check and reply items. Only the first will be # used for ServerChecksPasssword. Defaults to 1 #MaxRecords 2 </AuthBy> </Realm> I used radpwtst for authenticating a user tina of LDAP server . C:\Perl\bin>perl radpwtst -user tina -password turner -framed_ip_address 127.0.0 .1 -nas_identifier 127.0.0.1 -nas_ip_address 127.0.0.1 I would like to check a user in LDAP server using SASL bind with admin certificate basically a external bind mechanism. My log file is throwing error Tue Apr 30 11:48:15 2013: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Tue Apr 30 11:48:15 2013: DEBUG: Deleting session for tina, 127.0.0.1, 1234 Tue Apr 30 11:48:15 2013: DEBUG: Handling with Radius::AuthLDAP2: Tue Apr 30 11:48:15 2013: INFO: Connecting to localhost:389 Tue Apr 30 11:48:15 2013: DEBUG: Starting TLS Tue Apr 30 11:48:16 2013: ERR: StartTLS failed: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Tue Apr 30 11:48:16 2013: ERR: Could not open LDAP connection to localhost:389. Backing off for 600 seconds. Tue Apr 30 11:48:16 2013: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error Tue Apr 30 11:48:20 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 50487 .... Code: Accounting-Request Identifier: 91 Authentic: <238><255><164>.<208><21>G<212>dhd<215><225>c<165><7> Attributes: User-Name = "tina" Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "127.0.0.1" NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Framed-IP-Address = 127.0.0.1 Acct-Delay-Time = 0 Tue Apr 30 11:48:20 2013: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Tue Apr 30 11:48:20 2013: DEBUG: Adding session for tina, 127.0.0.1, 1234 Tue Apr 30 11:48:20 2013: DEBUG: Handling with Radius::AuthLDAP2: Tue Apr 30 11:48:20 2013: DEBUG: AuthBy LDAP2 result: ACCEPT, Tue Apr 30 11:48:20 2013: DEBUG: Accounting accepted Tue Apr 30 11:48:20 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 50487 .... if I disable the TLS,then restart radiator throws SASL mechanism not supported error (-4) Let me know if I can configure the switch as mentioned above through Radiator if possible provide a specific example . waiting for your inputs. Pramod Kulkarni ABB Global Industries and Services Limited Whitefield Road Block 1 560048, Bangalore, Karnataka, INDIA Phone: +91 80 67579950 Mobile: +919663733663 email: pramod.kulka...@in.abb.com _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Sami Keski-Kasari <sam...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
<<image/gif>>
<<image/gif>>
<<image/gif>>
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator