[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
Michael Rodrigues
mrodrigues at education.ucsb.edu
Tue Apr 1 14:42:47 CDT 2014
Hi Heikki,
Thanks for your input, this mailing list has always been extremely helpful.
I attempted to implement your suggestions on items 1 and 2. 1 is
straightforward, but I'm still a bit puzzled by 2. I looked at eap_peap
and eap_multi in goodies to get an idea of what to do. Using your
comments and the docs, I made some changes, adding two inner request
handlers, one for PEAP and one for TTLS. I tried implementing the Hook
but my NAS still reports the wrong user if I put some random username in
the 'anonymous identity' field on my wireless client.
Topic 3, the SSO stuff is a ways a away, but I will write the list with
any insight I have once I attempt it.
Here's my config:
########## ##########
##### Radiator Configuration #####
######### ##########
## Updated 4/1/2014
## Note this file is derived from pre-testing version provided by
mrodrigues
#This handler catches all "Accounting-Request" packets.
#We only log Start and Stop accounting packets as Alive
#packets are basically useless for our purposes. If you
#would like to grab these packets, delete the "HandleAcctStatusTypes"
#directive below, or edit as obviously necessary.
#<Handler Request-Type=Accounting-Request>
#<AuthBy SQL>
# DBSource dbi:mysql:radius:127.0.0.1:3306
# DBUsername radius
# DBAuth xxx
#HandleAcctStatusTypes Start,Stop
# This statement inserts the accounting information into the SQL databasee.
#AcctSQLStatement insert into ggse_public
values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL);
# This will log messages from within the SQL insert statement
#<Log FILE>
#Filename debug.config
#</Log>
#</AuthBy>
#</Handler>
#below was added on 2/4/13 to catch ALL iterations of logins that are
BlackListed.
RewriteUsername tr/A-Z/a-z/
#These are the subnets from which calls to the RADIUS server are allowed.
<Client 10.99.1.250>
Secret testing123
DupInterval 0
</Client>
<Handler User-Name=/^host\//>
# AuthBy INTERNAL will reject here
# This catches computers trying to auth
</Handler>
<Handler TunnelledByPEAP=1>
<AuthBy NTLM>
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
Domain AD
EAPType MSCHAP-V2
#EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem
EAPTLS_CAFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
#EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
EAPTLS_CertificateFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key
#EAPTLS_PrivateKeyPassword whatever
AutoMPPEKeys
</AuthBy>
PostAuthHook file:"goodies/eap_acct_username.pl"
</Handler>
<Handler TunnelledByTTLS=1>
<AuthBy NTLM>
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
Domain AD
EAPType TTLS
#EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem
EAPTLS_CAFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
#EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
EAPTLS_CertificateFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key
#EAPTLS_PrivateKeyPassword whatever
</AuthBy>
PostAuthHook file:"goodies/eap_acct_username.pl"
</Handler>
<Handler>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
# Make sure MAC address is not blacklisted..
<AuthBy FILE>
NoEAP
# Calling-Station-Id attribute is the user's MAC in this case.
AuthenticateAttribute Calling-Station-Id
AcceptIfMissing
Filename /etc/radiator/MacAddrBlacklist.txt
</AuthBy>
# Make sure USERNAME is not blacklisted..
<AuthBy FILE>
NoEAP
AcceptIfMissing
Filename /etc/radiator/UsernameBlacklist.txt
</AuthBy>
<AuthBy NTLM>
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
Domain AD
EAPType PEAP, TTLS
#EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem
EAPTLS_CAFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
#EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
EAPTLS_CertificateFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key
#EAPTLS_PrivateKeyPassword whatever
AutoMPPEKeys
</AuthBy>
</AuthBy>
PostAuthHook file:"goodies/eap_acct_username.pl"
</Handler>
#This logs to /var/log/radius/logfile
#Not really necessary, we have SQL logs.
<Log FILE>
Filename logfile
</Log>
On 3/26/2014 2:35 PM, Heikki Vatiainen wrote:
> On 03/26/2014 07:33 PM, Michael Rodrigues wrote:
>
>> 1. How do I allow only directory users to authenticate, while
>> preventing machine accounts from being authenticated?
> Use a Handler to catch these:
>
> <Handler User-Name=/^host\//>
> # AuthBy INTERNAL with reject here
> </Handler>
>
> should do the trick. I would also consider using a separate Handler for
> inner and outer requests. See goodies/eap_peap.cfg for an example.
>
>> 2. Will the eap_acct_username.pl prevent users from showing up as
>> 'anonymous' in my accounting requests for all allowed types of auth?
>> (PEAP, TTLS, MSCHAP-V2)
> This hook seems to return User-Name with Access-Accept to tell the NAS
> to use this username for the subsequent Accounting-Requests. I'd
> consider using a Hook, maybe PostAuthHook, in the inner Handler to write
> the real username in the outer requests EAP context. When the final
> Access-Accept is returned to the client, a PostAuthHook in the outer
> Handler can set the User-Name. This could be done after the
> authentication works otherwise.
>
>> 3. Will disabling machine authentication have any affect on SSO so that
>> a user can login to a domain computer and automatically authenticate
>> to the wifi (assuming the proper GPOs are in place).
> The recent Windows versions seem to have a number of possibilities to
> choose which account, user or computer, does the wifi authentiation.
> However, I have not looked more closely how these settings work with
> group policies. It would be interesting to hear how it works, so please
> let us know if you decide to test it.
>
>> Here's my configuration:
> Remove DupInterval 0 if you have it with real RADIUS clients. It should
> only be used for local loopback testing and it's not usually necessary
> there either.
>
> Thanks,
> Heikki
>
>> ########## ##########
>> ##### Radiator Configuration #####
>> ######### ##########
>>
>> ## Updated 03/26/14 mbr
>> ## Note this file is derived from pre-testing version provided by
>> <mrodrigues
>>
>> #This handler catches all "Accounting-Request" packets.
>> #We only log Start and Stop accounting packets as Alive
>> #packets are basically useless for our purposes. If you
>> #would like to grab these packets, delete the "HandleAcctStatusTypes"
>> #directive below, or edit as obviously necessary.
>>
>> #<Handler Request-Type=Accounting-Request>
>>
>> #<AuthBy SQL>
>> # DBSource dbi:mysql:radius:127.0.0.1:3306
>> # DBUsername radius
>> # DBAuth xxx
>> #HandleAcctStatusTypes Start,Stop
>> # This statement inserts the accounting information into the SQL databasee.
>>
>> #AcctSQLStatement insert into ggse_public
>> values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL);
>>
>> # This will log messages from within the SQL insert statement
>>
>> #<Log FILE>
>> #Filename debug.config
>> #</Log>
>>
>> #</AuthBy>
>>
>> #</Handler>
>>
>> #below was added on 2/4/13 to catch ALL iterations of logins that are
>> BlackListed.
>> RewriteUsername tr/A-Z/a-z/
>>
>> #These are the IPs from which calls to the RADIUS server are allowed.
>>
>> <Client 10.99.1.250>
>> Secret testing123
>> DupInterval 0
>> </Client>
>>
>> <Handler>
>> #This is only tentative and hasn't been tested. This keeps people from
>> circumventing the logs by making their outer identity anonymous. This
>> script copies the inner identity to the outer identity; you can't
>> authenticate without the correct inner identity.
>> PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
>>
>> <AuthBy GROUP>
>>
>> AuthByPolicy ContinueWhileAccept
>>
>> # Make sure MAC address is not blacklisted..
>> <AuthBy FILE>
>> NoEAP
>> # Calling-Station-Id attribute is the user's MAC in this
>> case.
>> AuthenticateAttribute Calling-Station-Id
>> AcceptIfMissing
>> Filename /etc/radiator/MacAddrBlacklist.txt
>> </AuthBy>
>>
>> # Make sure USERNAME is not blacklisted..
>> <AuthBy FILE>
>> NoEAP
>> AcceptIfMissing
>> Filename /etc/radiator/UsernameBlacklist.txt
>> </AuthBy>
>>
>> <AuthBy NTLM>
>> Domain AD
>> EAPType PEAP, TTLS, MSCHAP-V2
>> EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem
>> EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>> AutoMPPEKeys
>> </AuthBy>
>> </AuthBy>
>> </Handler>
>> #PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
>>
>> #This logs to /var/log/radius/logfile
>> #Not really necessary, we have SQL logs.
>> <Log FILE>
>> Filename logfile
>> </Log>
>>
>>
>>
>>
>> Thanks,
>> Michael
>>
>> --
>> Michael Rodrigues
>> Technical Support Services Manager
>> Gevirtz Graduate School of Education
>> Education Building 4203
>> (805) 893-8031
>> help at education.ucsb.edu
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
--
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
help at education.ucsb.edu
More information about the radiator
mailing list