[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP authentication using Radius



JET JETASIK wrote:
> Aaron Richton wrote:
>>
>> On Thu, 16 Aug 2012, JET JETASIK wrote:
>>>
>> [2012/08/16|14:06:22.578125][02492][MINOR][ValidationTask::getNASLocat
>>> ionFro mPacket] > No NAS-IP or NAS-Identifier attribute found.
>>> [2012/08/16|14:06:22.578125][02492][MAJOR][ValidationTask::routePacket
>>> ] > Rejecting RADIUS request due to missing NAS Location
>>>
>>> I don't see there is option to define the NAS-IP or NAS-Identifier in
>>> /etc/radius.conf Furthermore I dig into openldap's radius.c, only
>>> RAD_USER_NAME and RAD_USER_PASSWORD(line 82, 86) attached into
>> the
>>> request.
>>> Please advise how to put NAS-IP/NAS-Identifier into the request, maybe
>>> using
>>> rad_put_addr()  ?
>>
>> I would think it would be easier to reconfigure your radius server to
> allow the
>> queries in their existing form?
>>
>> With that said, if you want to send additional attributes, a modification
> to
>> radius.c is probably the right track. You'd probably be best inquiring to
> the
>> Radius community about how to do this -- I certainly don't know their API
> off
>> the top of my head and it's out of scope for openldap-technical.
>>
> 
> It took me some times to find out that if a radius-request, like this
> openldap-contrib's radius.c, does not include either a NAS-IP or a
> NAS-Identifier, it complies with old Radius RFC standard(RFC 2138), "SHOULD
> contain", but not the new one(RFC 2865) "MUST contain".

Sounds like you should submit an ITS. With a patch fixing the issue, preferably.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/