(RADIATOR) <AuthBy GROUP> and eap tunnelled authentication

Kawakubo, Ken kkawakub at fhcrc.org
Mon Feb 14 10:51:03 CST 2005 

All,

Our root and server certificates for PEAP/MSCHAPv2 and EAP-TTLS
authentications will expire in a month or so. I am wondering if there are
ways to make the transition smooth. I thought if wireless LAN users can
authenticate with either the old or new certs then we can buy some time. I
tried using <AuthBy GROUP> with PEAP and EAP-TTLS as follows, but it does
not seem to work. When the first authentication fails, it does not try the
second authentication. Changing conditionals make no difference. It appears
that the tunnelled eap authentication methods, since they consists of many
steps, do not work with <AuthBy GROUP>. I would like to know if there is a
way to implement something like this using <AuthBy GROUP> or some other
ways.

Ken Kawakubo
FHCRC

*****

<Handler>

	<AuthBy GROUP>
	
		AuthByPolicy	ContinueWhileReject
 		
 		<AuthBy FILE>
						
			Filename C:/Program Files/Radiator/users
				
			EAPType PEAP,TTLS
			EAPTLS_PEAPVersion 0
		
			EAPTLS_CAFile C:/Program
Files/Radiator/Newcert/cacert.pem	
			EAPTLS_CertificateFile C:/Program
Files/Radiator/Newcert/Newcert.pem
			EAPTLS_CertificateType PEM
			EAPTLS_PrivateKeyFile C:/Program
Files/Radiator/Newcert/Newcert.pem
			EAPTLS_PrivateKeyPassword xxxxx
			EAPTLS_MaxFragmentSize 1024
			AutoMPPEKeys
			SSLeayTrace 4
	

 		</AuthBy>
 
 		<AuthBy FILE>
 				
 			Filename C:/Program Files/Radiator/users
 		
 			EAPType PEAP,TTLS
 			EAPTLS_PEAPVersion 0
 
 			EAPTLS_CAFile C:/Program
Files/Radiator/Oldcert/cacert.pem	
 			EAPTLS_CertificateFile C:/Program
Files/Radiator/Oldcert/Oldcert.pem
 			EAPTLS_CertificateType PEM
 			EAPTLS_PrivateKeyFile C:/Program
Files/Radiator/Oldcert/Oldcert.pem
 			EAPTLS_PrivateKeyPassword xxxxx
 			EAPTLS_MaxFragmentSize 1024
 			AutoMPPEKeys
 			SSLeayTrace 4
  								
 		</AuthBy>
 		
 	</AuthBy>
	
	AcctLogFileName	%L/detail
	AuthLog		eap-authlog
	
</Handler>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list