(RADIATOR) adding tests forspecific NASs in PEAP to an exisiting EAP-TTLS setup
Hugh Irvine
hugh at open.com.au
Mon Aug 28 17:50:46 CDT 2006
Hello Jeff -
No it is not legal to change the Identifier in the Client clause.
Rather than use a PostAuthHook, you should use a PreHandlerHook and
you should add some other attribute to the request - you can use OSC-
AVPAIR for this purpose.
<Handler TunnelledByPEAP=1,OSC-AVPAIR=batty>
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
Filename %D/batty-users
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1>
AuthByPolicy ContinueWhileAccept
<AuthBy GROUP>
...
</AuthBy>
PostAuthHook file:"%D/insidepostauthhook.pl"
AddToReply User-Name = %u
AcctLogFileName %L/wpa.detail
</Handler>
<Handler Client-Identifier=wpa>
RewriteUsername s/^.*\\//
AuthByPolicy ContinueWhileReject
<AuthBy FILE>
EAPType TTLS,PEAP
...
</AuthBy>
PreHandlerHook file:"%D/do_extra_checks.pl"
AcctLogFileName %L/wpa.detail
</Handler>
There are numerous example hooks in the file "goodies/hooks.txt".
regards
Hugh
On 29 Aug 2006, at 05:44, Jeff Minelli wrote:
> Currently, my Radiator setup is a fairly simple EAP-TTLS setup.
> What I would like to do is expanded the config to include PEAP from
> only specific clients, access points, usernames and ssids.
>
> My current config is as such (simplified):
>
> ##################
> <Client 10.1.1.1>
> Identifier wpa
> Secret Blah
> </Client>
>
> <Handler TunnelledByTTLS=1>
> AuthByPolicy ContinueWhileAccept
> <AuthBy GROUP>
> ...
> </AuthBy>
> PostAuthHook file:"%D/insidepostauthhook.pl"
> AddToReply User-Name = %u
> AcctLogFileName %L/wpa.detail
> </handler>
>
> <Handler Client-Identifier=wpa>
> RewriteUsername s/^.*\\//
> AuthByPolicy ContinueWhileReject
> <AuthBy FILE>
> EAPType TTLS,PEAP
> ...
> </AuthBy>
> PostAuthHook file:"%D/postauthhook.pl"
> AcctLogFileName %L/wpa.detail
> </handler>
> ##################
>
> What I would like to do is add a test to postauthhook.pl matching
> my requirements (ssid, username, calling and called stations). If
> everything matches I would like to rewrite ${$p}->{Client}->
> {Identifier} to "batty", exit gracefully from the current handler/
> hook and enter this one:
>
> <Handler TunnelledByPEAP=1,Client-Identifier=batty>
> RewriteUsername s/(.*)\\(.*)/$2/
> <AuthBy FILE>
> Filename %D/batty-users
> </AuthBy>
> </Handler>
>
> I think my primary questions are:
> 1. Is this the cleanest (or even proper) way to approach this?
> 2. Is it "legal" to rewrite the Identifier?
> 3. How would I gracefully bow out of the postauthhook.pl if I pass
> my tests?
>
> Thanks,
>
> -jeff
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list