(RADIATOR) <AuthBy GROUP> and eap tunnelled authentication
Mike McCauley
mikem at open.com.au
Mon Feb 14 15:05:23 CST 2005
Hello Ken,
On Tuesday 15 February 2005 02:51, Kawakubo, Ken wrote:
> All,
>
> Our root and server certificates for PEAP/MSCHAPv2 and EAP-TTLS
> authentications will expire in a month or so. I am wondering if there are
> ways to make the transition smooth. I thought if wireless LAN users can
> authenticate with either the old or new certs then we can buy some time. I
> tried using <AuthBy GROUP> with PEAP and EAP-TTLS as follows, but it does
> not seem to work. When the first authentication fails, it does not try the
> second authentication. Changing conditionals make no difference. It appears
> that the tunnelled eap authentication methods, since they consists of many
> steps, do not work with <AuthBy GROUP>. I would like to know if there is a
> way to implement something like this using <AuthBy GROUP> or some other
> ways.
I dont think that having multiple AuthBys is the right way to do this.
The right way, I think is to make the right arrangements with your
certificates.
Radiator can handle multiple root certificates with the EAPTLS_CAPath
parameter. It names a directory that contains multiple root certificates,
each with a file name that is based on a hash of the subject name. More
details in the openssl doc. Of course this is only necessary to validate
multiple client certificates with different roots.
Are the client certificates changing?
Does the new server certificate have a new root too? Private? Then all your
clients will need the new root certificate too. When they are all installed,
you can install the new server certificate and restart Radiator.
>
> Ken Kawakubo
> FHCRC
>
> *****
>
> <Handler>
>
> <AuthBy GROUP>
>
> AuthByPolicy ContinueWhileReject
>
> <AuthBy FILE>
>
> Filename C:/Program Files/Radiator/users
>
> EAPType PEAP,TTLS
> EAPTLS_PEAPVersion 0
>
> EAPTLS_CAFile C:/Program
> Files/Radiator/Newcert/cacert.pem
> EAPTLS_CertificateFile C:/Program
> Files/Radiator/Newcert/Newcert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:/Program
> Files/Radiator/Newcert/Newcert.pem
> EAPTLS_PrivateKeyPassword xxxxx
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> SSLeayTrace 4
>
>
> </AuthBy>
>
> <AuthBy FILE>
>
> Filename C:/Program Files/Radiator/users
>
> EAPType PEAP,TTLS
> EAPTLS_PEAPVersion 0
>
> EAPTLS_CAFile C:/Program
> Files/Radiator/Oldcert/cacert.pem
> EAPTLS_CertificateFile C:/Program
> Files/Radiator/Oldcert/Oldcert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile C:/Program
> Files/Radiator/Oldcert/Oldcert.pem
> EAPTLS_PrivateKeyPassword xxxxx
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> SSLeayTrace 4
>
> </AuthBy>
>
> </AuthBy>
>
> AcctLogFileName %L/detail
> AuthLog eap-authlog
>
> </Handler>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list