Traverse provides customizable framework for validating login user name and passwords against external source, including Radius, Kerberos, LDAP, etc. The "External Authentication" section of Traverse Developer's Guide (available from http://zyrion.com/support/docs/) provides detailed information regarding how to leverage this feature. Here is a sample script that can be used to authenticate against Active Directory. Please review above document for limitations.

In order to use this script, extract the script from the attached ZIP archive and place it under plugin/auth directory on the BVE server. It may be necessary to install Net::LDAP and Getopt::Long Perl modules if not available on the server already:



(Linux/Solaris)
su
perl -MCPAN -e 'install Net::LDAP'
perl -MCPAN -e 'install Getopt::Long'


Next, edit etc/emerald.xml and remove/comment out (enclose in <!-- -->) the following section:



<authentication method="des"
class=""
execute=""
parameters=""
timeout=""
/>


and add the following configuration block in it's place:



<authentication
method="script"
class=""
execute="ldap_auth.pl"
parameters="--server n.n.n.n --user ${username} --password ${password} --domain myCompany.com”
/>


Replace n.n.n.n with the IP address of the Domain Controller and myCompany.com with the local AD domain name. Finally, restart the Web Application using "etc/webapp.init restart" on Linux/Solaris or Service Controller on Windows.

Standard corporate disclaimer applicable.

Here is a sample script (contributed by Traverse user) that provides similar functionality against Radius server. In order to use this script, extract the script from the attached ZIP archive directly under Traverse installation directory. Edit the newly created plugin/auth/radius_client.pl script and provide suitable values for Radius server, port and shared secret:



$rad_server = "192.168.10.20"; # SET THIS
$rad_port = "1812"; # SET THIS
$rad_secret = "secret1"; # SET THIS


The script uses commands from FreeRADIUS (http://freeradius.org/) which will need to be installed on the BVE server. Make sure to specify the correct location of "radclient" command in the script (default /opt/freeradius/bin/radclient). The following configuration setting in etc/emerald.xml will enable use of the script.



<authentication
method="script"
class=""
execute="radius_auth.pl"
parameters="${username} ${password}"
/>


Finally, restart the Web Application to activate the setting:



(Linux/Solaris)
su
cd /usr/local/traverse
chmod a+rx plugin/auth/radius_auth.pl
etc/webapp.init restart

The post mentions installing Freeradius on the BVE server... is that necessary if you want to use a remote RADIUS server? We use the Cisco ACS server.

Hello Chris,

The plug-in authentication script uses "radclient" tool from FreeRADIUS package to validate the supplied username and password against the remote RADIUS server. In this case you do not need to setup another RADIUS server on Traverse host. It doesn't necessarily need to be FreeRADIUS, but could be any compatible client that would provide similar functionality.

Thanks - We'll give this a shot around the first of next week then.

This didn't work. Authentication failed each time. Probably somthing I did wrong or didn't do at all.

As an edit, my username is also now locked out - I've tried logging in as SU and resetting the password but that does not help. I also commented out the changes to emerald.xml and uncommented the original lines... not sure why authentication is now broken.

Chris,

There was one key point left out from the initial posting (outlined in the Developer's Guide). Once the Web Application is configured to use external authentication, it is applicable to new users by default. If you have an existing login into Traverse, it will continue to use the native authentication method until you explicitly instruct the BVE to use the external source. This is accomplished by changing the user's password. The specified valus in this case is ignored but internally the BVE makes note that the user should be authenticated against the LDAP or Radius or other method.

So when you changed your password after configuring external authentication (by updating etc/emerald.xml), your login credential is now being validated through the script. If you need to revert back to the native authentication method, you will need to:

Restore the original settings in etc/emerald.xml
Restart the Web Application
Log into the Web Application as superuser
Reset the password for your login
Our support team will continue to work with you to configure Radius authentication.

Thank you, that worked. I will install the FreeRADIUS package next week.

Just as a final fillow up, after installing the FreeRadius package, and making the configuraiton changes, this works wonderfully with our Cisco ACS server as the Radius server. Thanks for your help! Good thread and you should sticky it!

Attached is the same script bundled with the library files needed to run on windows (Tested and working on Windows 2003) for the original ldap_auth.pl script (authentication against windows active directory).

You will need to make an additional change to the ldap_auth.pl script in order to get it to find the additional library files:



The line...
use lib "[Traverse Install Dir]/plugin/auth/win32_libs";

Will need to be changed to something like...
use lib "C:/Program Files/Traverse/plugin/auth/win32_libs";

Rajib

Do we need those perl modules installed on a windows Traverse system as well?

Do we need those perl modules installed on a windows Traverse system as well?

Yes - you would - please see the post by CJ Goldsmith which includes the files.

Regards,

Piyush

Where would those be?

Marcus,

Change your display mode to 'Linear' for this thread, and you see it. CJ's reply is one of the earlier notes on this thread.