(RADIATOR) Testing help with new Kerberos5 Auth Module.

Mike McCauley mikem at open.com.au
Fri Mar 26 23:49:24 CST 2004 

Hello Terry,


On Sat, 27 Mar 2004 02:58 pm, Terry Simons wrote:
> Mike,
>
> I have been working with Steve on this project (though he has done most
> of the work! ;-)
>
> I have a few comments inline...
>
> On Mar 26, 2004, at 8:20 PM, Mike McCauley wrote:
> > Helo Steve,
> >
......

> >
> > Ive just tested your module with ordinary Radius PAP, KRB5 1.2.7 and
> > Authen
> > KRB5 1.3 and it works as you say. Nice work.
> >
> > The problem with EAP, is that the AuthTEST.pm you based your code on
> > is not
> > really designed to work well with EAP. However, I would expect your
> > code to
> > work OK with TTLS-PAP, where you had your AuthBy KRB5 inside your
> > <Handler
> > TunnelledByTTLS> clause.
>
> Would not having a TunnelledByTTLS clause cause what we are seeing?

Hard to be sure witout seeing your config file.
I think so, but thats just an educated guess.
I dont expect that your module would be able to handle the outer TTLS 
authentication. When I tested here with a config file based on 
goodies/eap_ttls.cfg (which does not have a TunnelledByTTLS clause), it 
barfed when trying to authenticate the outer tunnel:

Sat Mar 27 15:40:36 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Sat Mar 27 15:40:36 2004: DEBUG:  Deleting session for anonymous, 
203.63.154.252, 37
Sat Mar 27 15:40:36 2004: DEBUG: Working in KRB5 realm OPEN.COM.AU
Sat Mar 27 15:40:36 2004: DEBUG: Building principle: anonymous at OPEN.COM.AU
Sat Mar 27 15:40:36 2004: INFO: Access rejected for anonymous: Kinit failed: 
Client not found in Kerberos database
Sat Mar 27 15:40:36 2004: DEBUG: Packet dump:

but it worked fine when I used a config file based on goodies/eap_multi.cfg 
(which does have a TunnelledByTTLS clause), like this:

Sat Mar 27 15:45:55 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  8<128>i<153>7<225>Z<236><249>q<248>6E9<171><213>
Attributes:
        User-Name = "mikem"
        User-Password = "fred"

Sat Mar 27 15:45:55 2004: DEBUG: Handling request with Handler 
'TunnelledByTTLS=1'
Sat Mar 27 15:45:55 2004: DEBUG:  Deleting session for mikem, 203.63.154.252,
Sat Mar 27 15:45:55 2004: DEBUG: Working in KRB5 realm OPEN.COM.AU
Sat Mar 27 15:45:55 2004: DEBUG: Building principle: mikem at OPEN.COM.AU
Sat Mar 27 15:45:55 2004: DEBUG: Successful auth
Sat Mar 27 15:45:55 2004: DEBUG: Access accepted for mikem
Sat Mar 27 15:45:55 2004: DEBUG: EAP result: 0, EAP TTLS inner authentication 
redespatched to a Handler


>
> We don't currently have one, but things work for regular Sybase queries
> (although that is on a different server with a different version of
> Radiator...)
>
> > In fact, the only types of EAP authentication that would be possible
> > to work
> > with Kerberos passwords would be TTLS-PAP, because all the other types
> > of EAP
> > rely on one-way hashes of the plaintext password (and/or certificates).
>
> Yeah, that's not a problem.  I'm sure you have seen me ranting about
> TTLS vs PEAP on the list already. :-)
>
> > This
> > means that recovering the plaintext password to give to Kerberos is
> > impossible excpet with TTLS-PAP).
>
> No problem there... our security office has mandated encrypted
> passwords, so it's pretty easy for us to justify TTLS->PAP vs other
> authentication types.
>
> Why we're going to use Kerberos is kind of a long story, but it's
> already deployed for the student labs, so we're just utilizing our
> infrastructure.  ;-)
>
> > To tell any more what your problem might be, we would need to see the
> > complete
> > log file at trace level 4 plus your config file (no secrets).
>
> As usual.
>
> I'll test a new configuration with the TunnelledByTTLS clause on Monday
> and if that doesn't work we'll get the information to you (of course,
> Steve might send it to you anyway, but if he doesn't it'll happen
> Monday).
>
> Thanks!
>
> - Terry

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list