[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
Heikki Vatiainen
hvn at open.com.au
Sun May 18 18:26:16 CDT 2014
On 05/13/2014 11:15 PM, Michael Rodrigues wrote:
> I would like to REJECT any non-EAP in the outer handler. I've tried to
> rearrange things to have only AuthBy FILE in the outer hanlder, having
> AuthBy NTLM only in each inner handler.
Hello Michael,
try this:
<Handler EAP-Message=/.+/>
# your current config for <Handler>
</Handler>
# Default Handler
<Handler>
# Catches everything non-EAP
# Could reject with e.g., AuthBy INTERNAL
</Handler>
Note that the above may require setting another Handler before the
default to catch the accounting, if this Radiator instances receives
accounting too.
> This would also (I think)
> require me to move my AuthBy INTERNAL to each inner handler so that it
> can get inner_identity once it is unpacked after AuthBy NTLM. After this
> I would AuthBy FILE for blacklist.
>
> However, I can't seem to get my outer handler to drop non-EAP requests:
I'd say the two Handler approach requires you not to rearrange internals
or require any large changes.
Please let us know how it works.
PS. I've been traveling lately so unfortunately it took a bit longer
than usual to reply.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list