(RADIATOR) Question about var differences between inner and outer authentications.

Terry Simons galimore at mac.com
Tue Oct 12 00:16:53 CDT 2004


Hi Mike,

I'm still having issues.

I understand the inner/outer handlers pretty well.  I have a 
TunnelledByTTLS and PEAP declaration defined, and I'm trying to copy 
attributes from the outer portion of the tunnel to the inner portion of 
the tunnel.

What I don't understand from your below explanation is exactly how to 
craft things the way I need.  The examples in "goodies" doesn't really 
help, since there isn't a solid example specifically for inner vs 
outer. ;-)  (If I can figure this out I'll make one and submit it).

I've tried several permutations of AddToRequest in my inner handler, 
and outer handler, but nothing seems to be working.

I'm specifically trying to copy the Calling-Station-Id and 
Called-Station-Id to the inner request.  They both exist in the Outer 
request, as I can log them with an AuthLog declaration.

Does that make sense?  Perhaps I'm just missing something simple?

So what I've tried is:

<Handler>
AddToRequest Calling-Station-Id=%{Calling-Station-Id}, 
Called-Station-Id=%{Called-Station-Id}


AuthLog OuterAuthLog

AuthBy BY_FILE
</Handler>

I also tried adding the AddToRequest to my inner handler, but that 
didn't seem to help either.

Is this basically right, or am I doing it wrong?

Do I need to use a hook to do this?  It seems like it should be 
possible...

I've also tried variations of AddToRequest Class= "Calling-Station-Id = 
%{Calling-Station-Id}", but that didn't seem to work either.

Thanks!

- Terry

On Oct 11, 2004, at 10:43 PM, Mike McCauley wrote:

> Hello Terry,
>
>
> On Tuesday 12 October 2004 14:25, Terry Simons wrote:
>> Hi,
>>
>> I'm curious how Radiator handles the the Inner authentication in, for
>> instance, a TTLS->PAP authentication.
>
> Radiator extracts the Diameter-like attributes tunnelled through the 
> outer 
> TTLS connection, and uses the attributes to create a new 'fake' inner 
> Radius 
> request which is then sent back to the top of the Radiator event 
> handling 
> system, where it will be redespatched to a Realm-or-Handler, and 
> thence to 
> one or more AuthBy clauses.
>
> This means that you can do all sorts of stuff to the requests as they 
> reenter 
> the event handling system. For example you can set up a Handler that 
> will 
> only handle inner TTLS requests with:
>
> <Handler  TunnelledByTTLS=1>
>
> and then add or subtract attributes from the request with 
> AddToRequest, 
> StripFromRequest etc.
>
> Hope that helps, but please let me know if I can tell you more.
>
> Cheers.
>
>>
>>  Is it possible to artificially insert attributes from the outer 
>> tunnel
>> into the inner (for instance, Calling-Station-Id)?  I've been trying 
>> to
>> grok through EAP_21.pm, but so far I haven't been able to figure this
>> out.
>>
>> Thanks!
>>
>> - Terry
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, 
> TLS, 
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
Hi Mike,

I'm still having issues.

I understand the inner/outer handlers pretty well.  I have a 
TunnelledByTTLS and PEAP declaration defined, and I'm trying to copy 
attributes from the outer portion of the tunnel to the inner portion of 
the tunnel.

What I don't understand from your below explanation is exactly how to 
craft things the way I need.  The examples in "goodies" doesn't really 
help, since there isn't a solid example specifically for inner vs 
outer. ;-)  (If I can figure this out I'll make one and submit it).

I've tried several permutations of AddToRequest in my inner handler, 
and outer handler, but nothing seems to be working.

I'm specifically trying to copy the Calling-Station-Id and 
Called-Station-Id to the inner request.  They both exist in the Outer 
request, as I can log them with an AuthLog declaration.

Does that make sense?  Perhaps I'm just missing something simple?

So what I've tried is:

<Handler>
AddToRequest Calling-Station-Id=%{Calling-Station-Id}, 
Called-Station-Id=%{Called-Station-Id}


AuthLog OuterAuthLog

AuthBy BY_FILE
</Handler>

I also tried adding the AddToRequest to my inner handler, but that 
didn't seem to help either.

Is this basically right, or am I doing it wrong?

Do I need to use a hook to do this?  It seems like it should be 
possible...

I've also tried variations of AddToRequest Class= "Calling-Station-Id = 
%{Calling-Station-Id}", but that didn't seem to work either.

Thanks!

- Terry

On Oct 11, 2004, at 10:43 PM, Mike McCauley wrote:

Hello Terry,


On Tuesday 12 October 2004 14:25, Terry Simons wrote:
Hi,

I'm curious how Radiator handles the the Inner authentication in, for
instance, a TTLS->PAP authentication.

Radiator extracts the Diameter-like attributes tunnelled through the 
outer 
TTLS connection, and uses the attributes to create a new 'fake' inner 
Radius 
request which is then sent back to the top of the Radiator event 
handling 
system, where it will be redespatched to a Realm-or-Handler, and thence 
to 
one or more AuthBy clauses.

This means that you can do all sorts of stuff to the requests as they 
reenter 
the event handling system. For example you can set up a Handler that 
will 
only handle inner TTLS requests with:

<Handler  TunnelledByTTLS=1>

and then add or subtract attributes from the request with AddToRequest, 
StripFromRequest etc.

Hope that helps, but please let me know if I can tell you more.

Cheers.


 Is it possible to artificially insert attributes from the outer tunnel
into the inner (for instance, Calling-Station-Id)?  I've been trying to
grok through EAP_21.pm, but so far I haven't been able to figure this
out.

Thanks!

- Terry

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   
http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list