(RADIATOR) Question about outer identities.

Hugh Irvine hugh at open.com.au
Sun Aug 22 20:14:42 CDT 2004 

Hi Terry -

See below.


On 23 Aug 2004, at 08:44, Mike McCauley wrote:

> Hello Terry,
>
> On Friday 20 August 2004 14:02, Terry Simons wrote:
>> Hi everybody,
>>
>> I have some questions about the handling of outer identities, and some
>> feature requests (If they aren't already implemented...)
>>
>> I know that TTLS and PEAP allow the use of the "anonymous" outer
>> identity (where the outer identity is anonymous at realm, for identity
>> hiding).
>>
>> Radiator, though, doesn't seem to be checking that outer == inner ||
>> outer == anonymous at utah.edu.  In other words, it is possible to do
>> something like:
>>
>> joe at utah.edu for the outer identity, and bob at utah.edu for the inner
>> identity, and most authenticators will end up sending an accounting
>> record for "joe at utah.edu" because that's all the authenticator really
>> knows about (Unless your authenticator supports a reply-attribute with
>> the username, but that's not really relevant to this conversation...)
>
> We believe that is a useful feature for some people, and that it is not
> prohibited by the spec.
>
>>
>> So basically what I want to know is:
>>
>> 1) Is there a way to force Radiator to make sure that the outer
>> identity is one of "anonymous at realm" OR "user at realm" (where user at realm
>> is identical to the inner, or at least the "user" portion of the inner
>> and outer match...)
>
> There is no built-in way to force this.

It would be fairly simple to do this with a hook in the Handler for the 
inner request, as the outer request is available as

	$p->{outerRequest}


>
>>
>> 2) Is there a way to force Radiator to NOT allow anonymous in the 
>> outer
>> identity?  (This is something we are considering to help with
>> accounting problems...)
> Several, which I will leave to Hugh to outline.
>

One way to do this is with cascaded AuthBy clauses in which an AuthBy 
FILE calls another AuthBy clause.

The file referenced by the AuthBy FILE would contain something like 
this:

# define DEFAULT's

DEFAULT  User-Name = anonymous, Auth-Type = Reject

DEFAULT Auth-Type = YourAuthByModule

You could also have a Handler with an AuthBy INTERNAL

<Handler User-Name = anonymous>
	<AuthBy INTERNAL>
		DefaultResult REJECT
	</AuthBy>
</Handler>

regards

Hugh


>
>>
>> Also, what does the "EAPAnonymous %0" directive do?  I can't find any
>> references in the documentation to it.  It seems like, from what I
>> gather, it uses the inner identity when handled by a TunnelledByPEAP =
>> 1 handler... is that correct, or am I way off base? ;-)
> EAPAnonymous specifies how the Radius User-Name will be constructed 
> for the
> inner requests for TTLS and PEAP. It defaults to 'anonymous', but can 
> be set
> to almost anything, including %0, which means 'the EAP identity used 
> for the
> inner requests'.
>
> Up until recently, the only doc for this was in the example config 
> files. The
> next release will have complete docs for this parameter.
>
>>
>> And finally, I found a typo in one of the goodies files... not a big
>> deal, but I figured I would mention it.
>
> Fixed for the next release. Thanks.
>
>>
>> File: eap_peap_tls.cfg
>> Line: 188
>> "tehre" should be "there"
>>
>> - Terry
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list