(RADIATOR) EAP-TTLS, Proxy Radius, MAC Address and username/password authentication

Rodolfo Torrado rtorrado at enred.com
Tue Jun 21 15:10:42 CDT 2005 

Hi people.

I'm running Radiator 3.6 over Windows 2000. The authentication process runs against SQL Server 8.

I'm trying to enable authentication for wireless clients that validate Username/Password and MAC Address simultaneously. I need chyper information between Radius and Clients.

For that reason I have installed a Proxy Radius (Radiator 3.11) over Linux, that receive request from our APs (Xyzel G-3000). I defined WAP as authentication method, EAP-TTLS as EAPType.

I can notice that Proxy send a new radius packet to my Authenticator Server (Radiator over Win2k) that just containts username and password. 

I have tryied to use some parameters like AuthenticateAttribute, NoEAP, RewriteUsername or AddToRequest to add some attributes like Calling-Station-ID to the packet that is send through TunnelledByTTLS handler, but in any case I can see the Calling-Station-ID (in this case the client MAC Address) in my real authenticator.

My question is: how can I reach send MAC Address through TunnelledByTTLS handler in order to authenticate clients through username/password and MAC Address. Is it possible?



Conf file for Proxy radius (over Linux) is:
----------------------------------------------
#Foreground

#LogStdout

LogDir          /var/log/radiator

DbDir           /etc/radiator

# User a lower trace level in production systems:

Trace           4

 

# You will probably want to add other Clients to suit your site,

# one for each NAS you want to work with

<Client DEFAULT>

        Secret xxxxxxx

        DupInterval 2

</Client>

 

# This handler intercepts the inner authentication requests and sends them to another

# server. The remote Radius server does not need to know anything about TTLS.

<Handler TunnelledByTTLS=1>

        <AuthBy RADIUS>

                Host xxxxxxxxx

                AuthPort 1645

                AcctPort 1646

                Secret xxxxxx

                NoForwardAccounting

                IgnoreAccounting

        </AuthBy>

</Handler>

 

<Handler>

        <AuthBy FILE>

                # Users must be in this file to get anywhere. IN this example,

                # it reques an entry for 'anonymous' which is the username

                # in the outer requests

                Filename %D/users

 

                # EAPType sets the EAP type(s) that Radiator will honour.

                # Options are: MD5-Challenge, One-Time-Password

                # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2

                # Multiple types can be comma separated. With the default (most

                # preferred) type given first

                EAPType TTLS

 

                # EAPTLS_CAFile is the name of a file of CA certificates

                # in PEM format. The file can contain several CA certificates

                # Radiator will first look in EAPTLS_CAFile then in

                # EAPTLS_CAPath, so there usually is no need to set both

                EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem

                # EAPTLS_CAPath is the name of a directory containing CA

                # certificates in PEM format. The files each contain one

                # CA certificate. The files are looked up by the CA

                # subject name hash value

#               EAPTLS_CAPath

 

                # EAPTLS_CertificateFile is the name of a file containing

                # the servers certificate. EAPTLS_CertificateType

                # specifies the type of the file. Can be PEM or ASN1

                # defaults to ASN1

                EAPTLS_CertificateFile /usr/share/ssl/certs/cert-srv.pem

                EAPTLS_CertificateType PEM

 

                # EAPTLS_PrivateKeyFile is the name of the file containing

                # the servers private key. It is sometimes in the same file

                # as the server certificate (EAPTLS_CertificateFile)

                # If the private key is encrypted (usually the case)

                # then EAPTLS_PrivateKeyPassword is the key to descrypt it

                EAPTLS_PrivateKeyFile /usr/share/ssl/certs/cert-srv.pem

                EAPTLS_PrivateKeyPassword xxxxxxxx

 

                # EAPTLS_RandomFile is an optional file containing

                # randdomness

#               EAPTLS_RandomFile /usr/share/ssl/certs/random

 

                # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt

                # size that will be replied by Radiator. It must be small

                # enough to fit in a single Radius request (ie less than 4096)

                # and still leave enough space for other attributes

                # Aironet APs seem to need a smaller MaxFragmentSize

                # (eg 1024) than the default of 2048. Others need even smaller sizes.

                EAPTLS_MaxFragmentSize 1000

 

                # EAPTLS_DHFile if set specifies the DH group file. It

                # may be required if you need to use ephemeral DH keys.

#               EAPTLS_DHFile %D/certificates/dh

                # Some clients, depending on their configuration, may require

                # MPPE send and receive keys. This _will_ be required if you select

                # 'Keys will be generated automatically for data privacy'

                # client Network Properties dialog.

                # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key

                # in the final Access-Accept

                AutoMPPEKeys

 

                # You can enable some warning messages from the Net::SSLeay

                # module by setting SSLeayTrace to an integer from 1 to 4

                # 1=ciphers, 2=trace, 3=dump data

                SSLeayTrace 2

 

                # You can configure the User-Name that will be used for the inner

                # authentication. Defaults to 'anonymous'. This can be useful

                # when proxying the inner authentication. If tehre is a realm, it can

                # be used to choose a local Realm to handle the inner authentication.

                #EAPAnonymous xxxxxx

        </AuthBy>

</Handler>



And, this is part of log file: (this sample shows a RewriteUsername into capital letters)
------------------------------
Mon Jun 20 18:46:52 2005: DEBUG: Packet dump:
*** Received from 200.106.139.18 port 1027 ....
Code:       Access-Request
Identifier: 12
Authentic:  <201><157>w<147>S<214><180>8<14><30><187><141>'<230><24>7
Attributes:
        User-Name = "Anonymous"
        NAS-IP-Address = 10.1.6.113
        NAS-Identifier = "villacampestre"
        Framed-MTU = 1496
        Called-Station-Id = "00-a0-c5-ef-bf-63:WiPOP-VC2"
        Calling-Station-Id = "00-a0-c5-b5-df-c0"
        NAS-Port-Type = Wireless-IEEE-802-11
        EAP-Message = <2><13><0>?<21><128><0><0><0>5<23><3><1><0>0!<224>#<135><7><144>9'+<241><184>,<182><28><197><233><186><236><168><209>?0<137>B<235>@g<127><187>g<23>L<193><147><144>^<201><14><24><254>2_}_<9><235><11>)
        Message-Authenticator = <224><16><148><26>X<235>0p<141><136><202>?4<215>D<246>

Mon Jun 20 18:46:52 2005: DEBUG: Handling request with Handler ''
Mon Jun 20 18:46:52 2005: DEBUG: Rewrote user name to ANONYMOUS
Mon Jun 20 18:46:52 2005: DEBUG:  Deleting session for Anonymous, 10.1.6.113,
Mon Jun 20 18:46:52 2005: DEBUG: Handling with Radius::AuthFILE:
Mon Jun 20 18:46:52 2005: DEBUG: Handling with EAP: code 2, 13, 63
Mon Jun 20 18:46:52 2005: DEBUG: Response type 21
Mon Jun 20 18:46:52 2005: DEBUG: EAP TTLS data, 3, 13, 12
Mon Jun 20 18:46:52 2005: DEBUG: EAP TTLS inner authentication request for ajem
Mon Jun 20 18:46:52 2005: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  '<248><178>><135><249><156><181>vw<24>gXQ<156><3>
        User-Password = "1234"

Mon Jun 20 18:46:52 2005: DEBUG: Handling request with Handler 'TunnelledByTTLS=1'
Mon Jun 20 18:46:52 2005: DEBUG:  Deleting session for xxxxx, 10.1.6.113,
Mon Jun 20 18:46:52 2005: DEBUG: Handling with Radius::AuthRADIUS
Mon Jun 20 18:46:52 2005: DEBUG: AuthBy RADIUS creates new local socket '0.0.0.0' for sending requests
Mon Jun 20 18:46:52 2005: DEBUG: Packet dump:
*** Sending to 200.75.33.20 port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  '<248><178>><135><249><156><181>vw<24>gXQ<156><3>
Attributes:
        User-Name = "xxxxx"
        User-Password = "ae<143><247><137>S<199>9<168><224>X<246><18><197><160>Q"

Mon Jun 20 18:46:52 2005: DEBUG: EAP result: 2, EAP TTLS inner authentication redespatched to a Handler
Mon Jun 20 18:46:53 2005: DEBUG: Packet dump:
*** Received from 200.75.33.20 port 1645 ....
Code:       Access-Accept
Identifier: 1
Authentic:  <6><220><208><189>?<171><139><221><228><161><254>?<189><25>9i
Attributes:
        Service-Type = Framed-User
        Framed-MTU = 1500
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Slipstream-Auth = "true"

Mon Jun 20 18:46:53 2005: DEBUG: Received reply in AuthRADIUS for req 1 from 200.75.33.20:1645
Mon Jun 20 18:46:53 2005: DEBUG: Access accepted for ajem
Mon Jun 20 18:46:53 2005: DEBUG: Access accepted for ANONYMOUS
Mon Jun 20 18:46:53 2005: DEBUG: Packet dump

Thanks in advanced.

Saludos.

Rodolfo Torrado
EnRed Comunicaciones S.A.

La fortaleza de un hombre no está en creer que todo lo puede.
Está en reconocer que con Dios todo es posible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050621/61ed22a9/attachment.html>

More information about the radiator mailing list