(RADIATOR) Troubles with 802.1x authorization of M$ Windows XP

Hugh Irvine hugh at open.com.au
Thu Jul 1 18:58:36 CDT 2004 

Hello Jan -

On 1 Jul 2004, at 19:45, Jan Tomasek wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Hugh,
> thanks for quick response.
>
>> As Mike says below, your Realm DEFAULT clause is catching the inner
>> request, not the correct Handler.
>>
>> You should not mix Realms and Handlers in the same configuration file
>> for this reason.
>
> I do not uderstand much Handlers vs. Realms isue. I used realms  
> because that
> is way I need Radiator behave.
>

Realms are a sub-class of Handlers, with an index on the list of Realm  
suffixes for faster access.

Realms are also evaluated first, so if your configuration file contains  
any Realm clauses, they will be evaluated before any Handlers. This  
being the case, a Realm DEFAULT clause will always catch any request  
before any Handlers are evaluated.

> Now I upated configuration to use only Handlers, everything looks to  
> works
> fine. Including forwarding non-local request to proxy server	.
>

Good - I'm pleased its working.

> I'm sending to list again my configuration, maybe somebody else might  
> find it
> usefull.
>

It is always useful to see working examples - thanks.

> I want ask about two problems I do not uderstand to:
>

I'll try to answer.

> 1) In <Handler Realm=/^cesnet\.cz$|^radius1\.cesnet\.cz$/> I have to  
> place
>    RewriteUsername outside AuthBy block and in <Handler  
> TunnelledByTTLS=1> and
>    <Handler TunnelledByPEAP=1> I have to place RewriteUsername inside  
> AuthBy
>    block. Otherwise it simpy won't work.
>

This must be because of the timing of when the RewriteUsername is  
executed during packet processing.

> 2) Isn't there some way how to simplify my configuration? I've there  
> tree very
>    simililar blocks. Isn't there some way for including file at least?
>

You can either use an Identifier in an AuthBy clause that is used  
multiple times, like this:

<AuthBy LDAP2>
	Identifier CheckLDAP
	.....
</AuthBy>

<Handler .....>
	AuthBy CheckLDAP
	.....
</Handler>

<Handler .....>
	AuthBy CheckLDAP
	.....
</Handler>

.....

Or you can use the "Include ...." directive in the Radiator  
configuration file.

See section 6.1 in the Radiator 3.9 reference manual ("doc/ref.html").

I tend to prefer the "Identifier ..." method as I find it easier to  
understand.


regards

Hugh


> - --
> - --------------------------------------------------------------
> Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
> http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
>                                       Czech Republic
> phone(work): +420 2 2435 5279         http://www.cesnet.cz/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFA490x79++DGvj6tMRAuXIAKCJSFRpGYG/vkbpeS+FEcEsJ83bGgCgoB5c
> sCZVPf9IgyVKC5ECcK8Was4=
> =Uvim
> -----END PGP SIGNATURE-----
> Foreground
> LogStdout
> Trace		4
> LogDir		/var/log/radiator
> DbDir		/home/semik/iproj/Radiator-Demo-3.9
>
> <AuthLog SYSLOG>
> 		Identifier authlogger
> 		Facility	local7
> 		LogSuccess	1
> 		LogFailure	1
> 		SuccessFormat	%U:%P:OK
> 		FailureFormat	%U:%P:FAIL
> </AuthLog>
> #<AuthLog FILE>
> #		Filename /var/log/radiator/authlog
> #		LogSuccess 1
> #		LogFailure 1
> #</AuthLog>
> <Log SYSLOG>
> 		Facility	local7
> 		LogIdent	radiator
> 		Trace		4
> </Log>
>
> AuthPort	1645,1812
> AcctPort	1646,1813
>
> <Client localhost>
> 	Secret		mysecret
> 	DupInterval 	0
> </Client>
>
> <Client DEFAULT>
> 	Secret		testing123
> </Client>
>
> # -- Local realms  
> -------------------------------------------------------------
> <Client saint.cesnet.cz>
>         Secret          xxx
> </Client>
>
> <Client radius1.eduroam.cz>
> 	Secret		xxx
> </Client>
>
> <Client ldap3.cesnet.cz> # radius2.eduroam.cz
> 	Secret		xxx
> </Client>
>
> <Handler Realm=/^cesnet\.cz$|^radius1\.cesnet\.cz$/>
> 	# Strip realm
> 	RewriteUsername		s/^(.*?)\@.*$/$1/
> 	# Convert user name to lowercase
> 	RewriteUsername		tr/A-Z/a-z/
>
> 	<AuthBy LDAP2>
> 		Host		localhost
>
> 		AuthDN		uid=rad1,ou=Special Users,dc=cesnet,dc=cz
> 		AuthPassword	xxx
>
> 		BaseDN		dc=cesnet,dc=cz
> 		UsernameAttr	uid
> 		PasswordAttr    radiusPassword
>
> 		EAPType		PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge
>
> 		EAPTLS_CAFile	/etc/ssl/certs/trusted-CA-list.crt
> 		EAPTLS_CertificateFile	/etc/ssl/certs/ 
> radius_radius1.eduroam.cz.crt.pem
> 		EAPTLS_CertificateType	PEM
> 		EAPTLS_PrivateKeyFile	/etc/ssl/private/ 
> radius_radius1.eduroam.cz.key.pem
> 		#EAPTLS_PrivateKeyPassword whatever
>
> 		EAPTLS_MaxFragmentSize	1000
>
> 		EAPTLS_CRLCheck
> 		EAPTLS_CRLFile	/etc/ssl/ed99a497.r0
>
> 		EAPTLSRewriteCertificateCommonName s/Jan Tomasek/semik/
> 		
> 		AutoMPPEKeys
>
> 		SSLeayTrace 0
> 	</AuthBy>
> 	AuthLog authlogger
> </Realm>
>
> <Handler TunnelledByTTLS=1>
> 	<AuthBy LDAP2>
> 		# Strip realm
> 		RewriteUsername		s/^(.*?)\@.*$/$1/
> 		# Convert user name to lowercase
> 		RewriteUsername		tr/A-Z/a-z/
>
> 		Host		localhost
>
> 		AuthDN		uid=rad1,ou=Special Users,dc=cesnet,dc=cz
> 		AuthPassword	xxx
>
> 		BaseDN		dc=cesnet,dc=cz
> 		UsernameAttr	uid
> 		PasswordAttr    radiusPassword
>
> 		EAPType		MSCHAP-V2,MD5,TLS
>
> 		EAPTLS_CAFile	/etc/ssl/certs/trusted-CA-list.crt
> 		EAPTLS_CertificateFile	/etc/ssl/certs/ 
> radius_radius1.eduroam.cz.crt.pem
> 		EAPTLS_CertificateType	PEM
> 		EAPTLS_PrivateKeyFile	/etc/ssl/private/ 
> radius_radius1.eduroam.cz.key.pem
> 		#EAPTLS_PrivateKeyPassword whatever
>
> 		EAPTLS_MaxFragmentSize	1000
>
> 		EAPTLS_CRLCheck
> 		EAPTLS_CRLFile	/etc/ssl/ed99a497.r0
> 		
> 		SSLeayTrace 0
> 	</AuthBy>
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> 	<AuthBy LDAP2>
> 		# Strip realm
> 		RewriteUsername		s/^(.*?)\@.*$/$1/
> 		# Convert user name to lowercase
> 		RewriteUsername		tr/A-Z/a-z/
>
> 		Host		localhost
>
> 		AuthDN		uid=rad1,ou=Special Users,dc=cesnet,dc=cz
> 		AuthPassword	xxx
>
> 		BaseDN		dc=cesnet,dc=cz
> 		UsernameAttr	uid
> 		PasswordAttr    radiusPassword
>
> 		EAPType		MSCHAP-V2,TTLS,TLS,MD5-Challenge
>
> 		EAPTLS_CAFile	/etc/ssl/certs/trusted-CA-list.crt
> 		EAPTLS_CertificateFile	/etc/ssl/certs/ 
> radius_radius1.eduroam.cz.crt.pem
> 		EAPTLS_CertificateType	PEM
> 		EAPTLS_PrivateKeyFile	/etc/ssl/private/ 
> radius_radius1.eduroam.cz.key.pem
> 		#EAPTLS_PrivateKeyPassword whatever
>
> 		EAPTLS_MaxFragmentSize	1000
>
> 		EAPTLS_CRLCheck
> 		EAPTLS_CRLFile	/etc/ssl/ed99a497.r0
> 		
> 		SSLeayTrace 0
> 	</AuthBy>
> </Handler>
> #  
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
> ^^^^^^
>
> # -- A vechno co neni nase posilame na narodni radiusy  
> ------------------------
> <Handler>
>         <AuthBy ROUNDROBIN>
>                 <Host radius1.eduroam.cz>
>                         AuthPort        1812
>                         AcctPort        1813
>                         Secret          xxx
>                 </Host>
>                 <Host radius2.eduroam.cz>
>                         AuthPort        1812
>                         AcctPort        1813
>                         Secret          xxx
>                 </Host>
>         </AuthBy>
> </Handler>
> #  
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
> ^^^^^^
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list