(RADIATOR) PEAP config and proxying

Mike McCauley mikem at open.com.au
Tue Apr 22 02:16:50 CDT 2003


Hi All,


On Mon, 21 Apr 2003 08:07 pm, Rute Sofia wrote:
> Hello Christian, Hugh ,
>
> UserNamewithoutRealms does not work with the inner peap authentication,
> the same thing happens, i.e., there's no stripping of the realm on the
> inner credentials. However, the problem is solved, since Mike and Hugh
> provided a patch that allows to use the rewriteusername clause within
> the authby, for mschap-v2.

As Rute mentioned, we have posted a patch to the Radiator 3.6 patches area:

EAP-MSCHAP-V2 now honours UsernameMatchesWithoutRealm and RewriteUsername by 
rewriting the inner authentication identity.

We added the UsernameMatchesWithoutRealm support after Rute tested 
RewriteUsername.

Cheers.

>
> regards,
> rute
>
> Hugh Irvine wrote:
> > Hello Christian, Hello Rute -
> >
> > I'm not sure if this will work or not - try it and see and let me know
> > if it does.
> >
> > regards
> >
> > Hugh
> >
> >
> > On Thursday, Apr 17, 2003, at 04:01 Australia/Melbourne, Christian
> >
> > Wiedmann wrote:
> >> I see what you're saying.  Can you use UsernameMatchesWithoutRealm
> >> (in the
> >> AuthBy FILE) to get the right behavior on the inner auth?
> >>
> >>     -Christian
> >>
> >> On Wed, 16 Apr 2003, Rute Sofia wrote:
> >>> As Hugh said, there's no way to move the rewrite to the inner request,
> >>> right? That is actually a problem because as Hugh said, it obliges our
> >>> users to enter the name without the domain.
> >>
> >> < >
> >>
> >>>> Also, you didn't mention whether you want to forward just the inner
> >>>> request,
> >>>> or the whole PEAP transaction.  The way you've written the config
> >>>> right now
> >>>> makes it look like you're doing the latter.  If this is
> >>>> unintentional, you
> >>>> probably want to add a TunneledByPEAP=1 to the forwarding handler.
> >>>> Otherwise,
> >>>> add TunneledByPeap=0 to prevent it from trying to forward failed inner
> >>>> requests.
> >>>
> >>> I want to fw the whole transaction. And that is working. My only
> >>> problem
> >>> is handling credentials (inner) that arrive as user at mydomain.xpto.
> >>>
> >>>
> >>> Regards,
> >>> Rute
> >>>
> >>> ===
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >
> > NB: have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list