(RADIATOR) <AuthBy GROUP> and eap tunnelled authentication

Mike McCauley mikem at open.com.au
Mon Feb 14 15:05:23 CST 2005


Hello Ken,


On Tuesday 15 February 2005 02:51, Kawakubo, Ken wrote:
> All,
>
> Our root and server certificates for PEAP/MSCHAPv2 and EAP-TTLS
> authentications will expire in a month or so. I am wondering if there are
> ways to make the transition smooth. I thought if wireless LAN users can
> authenticate with either the old or new certs then we can buy some time. I
> tried using <AuthBy GROUP> with PEAP and EAP-TTLS as follows, but it does
> not seem to work. When the first authentication fails, it does not try the
> second authentication. Changing conditionals make no difference. It appears
> that the tunnelled eap authentication methods, since they consists of many
> steps, do not work with <AuthBy GROUP>. I would like to know if there is a
> way to implement something like this using <AuthBy GROUP> or some other
> ways.

I dont think that having multiple AuthBys is the right way to do this.
The right way, I think is to make the right arrangements with your 
certificates.

Radiator can handle multiple root certificates with the EAPTLS_CAPath 
parameter. It names a directory that contains multiple root certificates, 
each with a file name that is based on a hash of the subject name. More 
details in the openssl doc. Of course this is only necessary to validate 
multiple client certificates with different roots.

Are the client certificates changing?

Does the new server certificate have a new root too? Private? Then all your 
clients will need the new root certificate too. When they are all installed, 
you can install the new server certificate and restart Radiator.



>
> Ken Kawakubo
> FHCRC
>
> *****
>
> <Handler>
>
> 	<AuthBy GROUP>
>
> 		AuthByPolicy	ContinueWhileReject
>
>  		<AuthBy FILE>
>
> 			Filename C:/Program Files/Radiator/users
>
> 			EAPType PEAP,TTLS
> 			EAPTLS_PEAPVersion 0
>
> 			EAPTLS_CAFile C:/Program
> Files/Radiator/Newcert/cacert.pem
> 			EAPTLS_CertificateFile C:/Program
> Files/Radiator/Newcert/Newcert.pem
> 			EAPTLS_CertificateType PEM
> 			EAPTLS_PrivateKeyFile C:/Program
> Files/Radiator/Newcert/Newcert.pem
> 			EAPTLS_PrivateKeyPassword xxxxx
> 			EAPTLS_MaxFragmentSize 1024
> 			AutoMPPEKeys
> 			SSLeayTrace 4
>
>
>  		</AuthBy>
>
>  		<AuthBy FILE>
>
>  			Filename C:/Program Files/Radiator/users
>
>  			EAPType PEAP,TTLS
>  			EAPTLS_PEAPVersion 0
>
>  			EAPTLS_CAFile C:/Program
> Files/Radiator/Oldcert/cacert.pem
>  			EAPTLS_CertificateFile C:/Program
> Files/Radiator/Oldcert/Oldcert.pem
>  			EAPTLS_CertificateType PEM
>  			EAPTLS_PrivateKeyFile C:/Program
> Files/Radiator/Oldcert/Oldcert.pem
>  			EAPTLS_PrivateKeyPassword xxxxx
>  			EAPTLS_MaxFragmentSize 1024
>  			AutoMPPEKeys
>  			SSLeayTrace 4
>
>  		</AuthBy>
>
>  	</AuthBy>
>
> 	AcctLogFileName	%L/detail
> 	AuthLog		eap-authlog
>
> </Handler>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list