(RADIATOR) postauthhook questions
Wyman Miles
wm63 at cornell.edu
Mon Jan 23 15:24:43 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I recently changed our radiator config to break out certain handlers by
Client-Identifier.
In the previous config, our call to postauthhook worked fine. The current
config appears to ignore that handler entirely.
Authentication works correctly, as does accounting and our preprochook.
Also, is it correct that if I want to add multiple identical clients with
Client-Identifier=RRSec, they'll have to be broken into multiple <Client>
clauses for <Handler Client-Identifier=RRSec> to continue to work?
Our config, sanitized of IP and secrets is below.
Any ideas?
- ------------ Forwarded Message ------------
Date: Monday, January 23, 2006 1:30 PM -0500
From: Wyman Miles <wm63 at agate3.cit.cornell.edu>
To: wm63 at cornell.edu
Subject:
# Cornell Radiator config for 802.1x wireless
AuthPort 1645,1812
AcctPort 1646,1813
# Foreground
# LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 2
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
# not needed
<Client a.b.c.d>
Identifier NetVigil
</Client>
# RedRover-Secure NAS clients
# Why so many, instead of just using "IdenticalClients" clauses?
# because Radiator won't respect the Identifier clause, making
# subsequent handlers impossible to sort out
# *sigh*
<Client e.f.g.3>
Identifier RRSec
DupInterval 0
</Client>
<Client e.f.g.4>
Identifier RRSec
DupInterval 0
</Client>
# for netvigil monitoring
<Handler Client-Identifier=NetVigil>
<AuthBy FILE>
Filename %D/netvigil
</AuthBy>
</Handler>
# inner authentication request.
# we'll pass this off to Kerberos for verification
<Handler TunnelledByTTLS=1>
AcctLogFileName %L/detail
<AuthBy KRB5>
Identifier cit.redrover.secure
KrbRealm REALM
AutoMPPEKeys
</AuthBy>
AddToReply User-Name = %u
PostAuthHook file:"/opt/radiator/sbin/postauthhook"
</Handler>
# outer EAP authentication request
<Handler Client-Identifier=RRSec>
AcctLogFileName %L/detail
PreProcessingHook file:"/opt/radiator/sbin/preprochook"
<AuthBy FILE>
Filename %D/users
EAPType TTLS
EAPTLS_CAFile %D/certificates/cacert.pem
EAPTLS_CertificateFile %D/certificates/agate1.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/agate1.key
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
# EAPAnonymous %0
SSLeayTrace 1
</AuthBy>
<AuthBy KRB5>
Identifier cit.redrover.secure
KrbRealm REALM
AutoMPPEKeys
</AuthBy>
</Handler>
- ---------- End Forwarded Message ----------
Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin
iQA/AwUBQ9VJm8RE6QfTb3V0EQKikQCgwA55x40GSh8mthPTzJ4eMJOzEPEAoIDY
Vuzi5gHJo7XFF+FR/WaPAAdB
=Ciyw
-----END PGP SIGNATURE-----
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list