(RADIATOR) postauthhook questions

Hugh Irvine hugh at open.com.au
Mon Jan 23 16:42:58 CST 2006 

Hello Wyman -

Your PostAuthHook will only be executed for the inner request of an  
EAP authentication.

What is shown in the trace 4 debug?

regards

Hugh


On 24 Jan 2006, at 05:24, Wyman Miles wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I recently changed our radiator config to break out certain  
> handlers by
> Client-Identifier.
>
> In the previous config, our call to postauthhook worked fine.  The  
> current
> config appears to ignore that handler entirely.
>
> Authentication works correctly, as does accounting and our  
> preprochook.
>
> Also, is it correct that if I want to add multiple identical  
> clients with
> Client-Identifier=RRSec, they'll have to be broken into multiple  
> <Client>
> clauses for <Handler Client-Identifier=RRSec> to continue to work?
>
> Our config, sanitized of IP and secrets is below.
>
> Any ideas?
>
> - ------------ Forwarded Message ------------
> Date: Monday, January 23, 2006 1:30 PM -0500
> From: Wyman Miles <wm63 at agate3.cit.cornell.edu>
> To: wm63 at cornell.edu
> Subject:
>
> # Cornell Radiator config for 802.1x wireless
>
> AuthPort 1645,1812
> AcctPort 1646,1813
>
> # Foreground
> # LogStdout
> LogDir		 /var/log/radius
>
> DbDir		/etc/radiator
> # User a lower trace level in production systems:
> Trace	2
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
>
> # not needed
>
> <Client a.b.c.d>
> 	Identifier NetVigil
> </Client>
>
> # RedRover-Secure NAS clients
> # Why so many, instead of just using "IdenticalClients" clauses?
> # because Radiator won't respect the Identifier clause, making
> # subsequent handlers impossible to sort out
> # *sigh*
>
> <Client e.f.g.3>
> 	Identifier RRSec
> 	DupInterval 0
> </Client>
> <Client e.f.g.4>
> 	Identifier RRSec
> 	DupInterval 0
> </Client>
>
> # for netvigil monitoring
> <Handler Client-Identifier=NetVigil>
> 	<AuthBy FILE>
> 		Filename	%D/netvigil
> 	</AuthBy>
> </Handler>
>
>
> # inner authentication request.
> # we'll pass this off to Kerberos for verification
>
> <Handler TunnelledByTTLS=1>
> 	AcctLogFileName %L/detail
>         <AuthBy KRB5>
>                 Identifier cit.redrover.secure
>                 KrbRealm REALM
> 		AutoMPPEKeys
>         </AuthBy>
> 	AddToReply User-Name = %u
> 	PostAuthHook file:"/opt/radiator/sbin/postauthhook"
> </Handler>
>
>
> # outer EAP authentication request
>
> <Handler Client-Identifier=RRSec>
> 	AcctLogFileName %L/detail
> 	PreProcessingHook file:"/opt/radiator/sbin/preprochook"
> 	<AuthBy FILE>
> 		Filename %D/users
>
> 		EAPType TTLS
>
> 		EAPTLS_CAFile %D/certificates/cacert.pem
>
> 		EAPTLS_CertificateFile %D/certificates/agate1.pem
> 		EAPTLS_CertificateType PEM
>
> 		EAPTLS_PrivateKeyFile %D/certificates/agate1.key
>
> 		EAPTLS_MaxFragmentSize 1000
>
> 		AutoMPPEKeys
> 	
> #		EAPAnonymous %0
>
> 		SSLeayTrace 1
> 	</AuthBy>
> 	<AuthBy KRB5>
> 		Identifier cit.redrover.secure
> 		KrbRealm REALM
> 		AutoMPPEKeys
> 	</AuthBy>
> </Handler>
>
>
> - ---------- End Forwarded Message ----------
>
>
>
> Wyman Miles
> Senior Security Engineer
> Cornell University, Ithaca, NY
> (607) 255-8421
> -----BEGIN PGP SIGNATURE-----
> Version: Mulberry PGP Plugin v3.0
> Comment: processed by Mulberry PGP Plugin
>
> iQA/AwUBQ9VJm8RE6QfTb3V0EQKikQCgwA55x40GSh8mthPTzJ4eMJOzEPEAoIDY
> Vuzi5gHJo7XFF+FR/WaPAAdB
> =Ciyw
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list