(RADIATOR) EAP-TTLS clarification on inner/outer authenticaion.

Bret Jordan bret.jordan at utah.edu
Wed Aug 13 10:41:42 CDT 2003 

The outer authentication is not really important in TTLS....  Thus you 
can set it to anonymous...  The one place that it does become important 
is if you are using a Radius Realm Mesh to distribute authentication 
based upon Domain name..  Then the TTLS session needs that information 
to determine which Radius server to send the data too..  Thus you would 
use anonymous at domain.com in the outer part and username at domain.com on 
the inside authentication.

Bret

John McFadden wrote:

> As far as I can tell I've got EAP-TTLS working but I'm still confused 
> about the inner vs outer authentication.
>
> I'm using the Funk client.
>
> -the logon name is dasjlm
> -authentication protocol is EAP/TTLS
> -inner protocol is PAP
> -the anonymous name is anonymous
>
>
> I thought I was suppose to config radius to
> -use LDAP to authenticate inner userids - ie: dasjlm.
> -use a flat file to authenticate outer userids - ie: anonymous
>
> Based on the logs that seems to be happen but I'd appreciate a few 
> comments to verfiy I've set things up correctly
> as it appears the "EAPAnonymous" parm refers to INNER authentication.
>
>
> I've included applicable parts of my config file below.
>
>
>
> <Realm INNER>
>    <AuthBy FILE>
>        # Users must be in this file to get anywhere. In this example,
>        # it reques an entry for 'anonymous' which is the standard 
> username
>        # in the outer requests, and it also requires an entry for the
>        # actual user name who is trying to connect (ie the 'Login 
> name' entered
>        # in the Funk Odyssey 'Edit Profile Properties' page
>        Filename /etc/radiator/users
>        EAPTLS_CertificateFile 
> /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
>        EAPTLS_CAFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
>        EAPTLS_CertificateType PEM
>        EAPTLS_PrivateKeyFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.key
>        EAPTLS_PrivateKeyPassword nnnnnnnnnn
>        AutoMPPEKeys
>        EAPType TTLS
> </Realm>
>
>
>
>
>
> <Realm DEFAULT>
> <AuthBy LDAP2>
>        Host        129.100.2.39
>        AuthDN        cn=directory manager
>        AuthPassword    nnnnnnnnn
>        AuthAttrDef description,Role,request
>        BaseDN        dc=its, dc=uwo, dc=ca
>        UsernameAttr    uid
>        PasswordAttr    userPassword
>        EAPType TTLS
>        EAPTLS_CAFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
>        EAPTLS_CertificateFile 
> /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
>        EAPTLS_CertificateType PEM
>        EAPTLS_PrivateKeyFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.key
>        EAPTLS_PrivateKeyPassword nnnnnnnn
>        EAPTLS_MaxFragmentSize 1024
>        AutoMPPEKeys
>        SSLeayTrace 4
>        # You can configure the User-Name that will be used for the inner
>        # authentication. Defaults to 'anonymous'. ThFrom owner-radiator at open.com.au Wed Aug 13 10:57:45 2003
Received: (from majordomo at localhost)
	by server1.open.com.au (8.11.6/8.11.0) id h7DFvj411998
	for radiatorzz-list; Wed, 13 Aug 2003 10:57:45 -0500
X-Authentication-Warning: server1.open.com.au: majordomo set sender to owner-radiator at open.com.au using -f
Received: from mail1.firstlink.com (postfix at mail1.firstlink.com [66.37.141.14])
	by server1.open.com.au (8.11.6/8.11.0) with ESMTP id h7DFvj811995
	for <radiator at open.com.au>; Wed, 13 Aug 2003 10:57:45 -0500
Received: from shrex.asp.firstlink.com (shrex.firstlink.com [66.37.141.10])
	by mail1.firstlink.com (Postfix) with ESMTP id 1C3C81A51DF
	for <radiator at open.com.au>; Wed, 13 Aug 2003 09:44:03 -0600 (MDT)
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
Subject: (RADIATOR) Acct-Session-Time Questions
Date: Wed, 13 Aug 2003 09:44:02 -0600
Message-ID: <6633DBDE6F5ED64D9D6AF3264AEE89146A7C74 at shrex.asp.firstlink.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Acct-Session-Time Questions
thread-index: AcNhsbg1lEYsUQTMS/2srbjK15G1eQ==
From: "Dan Vande More" <dvm at firstlink.com>
To: <radiator at open.com.au>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by server1.open.com.au id h7DFvj811996
Sender: owner-radiator at open.com.au
Precedence: bulk
List-Id: <radiator.list-id.open.com.au>

I have a few questions related to Acct-Session-Time. I seem to have answered most of them, but some I'm second guessing myself on.

First I see this in my session logs for a distinct user:

        Acct-Session-Time = 710920
        Acct-Session-Time = 711733
        Acct-Session-Time = 712554
        Acct-Session-Time = 713450
        Acct-Session-Time = 714335
        Acct-Session-Time = 715209
        Acct-Session-Time = 716083
        Acct-Session-Time = 716903
        Acct-Session-Time = 717728
        Acct-Session-Time = 718596
        Acct-Session-Time = 719435
        Acct-Session-Time = 720306

So, I'm assuming the Acct-Session-Time is cumulative. 
These numbers descend all the way down to 15, in (random) increments. 

Are these numbers calculated on the fly, by radiator, from the detail file? So If i rotate the logfile every month, it starts over on a new log file?

Additionally, are these numbers in seconds (Another assumption I'm making)?

If so, then my math(bc 1.06) shows:

720306/60
12005
12005/60
200

So this user has had 200 hours of active session time?

Thanks!

Dan Vande More

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
is can be useful
>        # when proxying the inner authentication. If there is a realm, 
> it can
>        # be used to choose a local Realm to handle the inner 
> authentication.
>        # %0 is replaced with the EAP identitiy
>        EAPAnonymous anonymous at INNER
> </AuthBy>
>
>
>
> </Realm>
>
>
> Thanks JLM
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bret Jordan                       Dean's Office
Computer Administrator   College of Engineering
801.585.3765                 University of Utah
            jordan at coe.utah.edu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list