(RADIATOR) AuthByPolicy ContinueUntilAccept problems
Robin Breathe
rbreathe at brookes.ac.uk
Wed Jun 7 12:26:57 CDT 2006
Matthew Alexander wrote:
> I'm curious as to why you would need the UsernameMatchesWithoutRealm
> flag. Why couldn't you just RewriteUsername?
>
> It looks like I am working on something very similar (PEAP EAP-MSCHAPv2
> machine + user auth via AuthBy NTLM). I just used RewriteUsername to
> get rid of the realm. Did you run into an issue that I can look forward
> to experiencing?
Matt,
My reasoning was pretty straight-forward actually. We want to support
multiple EAP types: PEAP/EAP-MSCHAPv2 (e.g. Windows XP supplicant),
TTLS/EAP-MSCHAPv2 (e.g. SecureW2 supplicant) and TTLS/MSCHAPv2 (e.g. Mac
OS X supplicant). However, RewriteUsername in the AuthBy context doesn't
do what we expect when our inner authentication mechanism is
EAP-MSCHAPv2. I believe this is because it rewrites the User-Name
attribute, as set by EAPAnonymous, rather than the EAPIdentity which is
wrapped up in an EAP-Message. As a result, the following does what you
expect for TTLS/MSCHAPv2 but not for TTLS/EAP-MSCHAPv2 or PEAP/EAP-MSCHAPv2:
<AuthBy FILE>
Identifier AUTH-EXT
EAPType MSCHAP-V2
# Want to authenticate "user" from "user at realm":
RewriteUsername s/^([^@]*)@.*$/$1/
Filename %D/users-ext
</AuthBy>
The same goes for all AuthBy types, we just happened to be using
AuthNTLM.pm, so that's the one I patched to support the
undocumented-but-used-elsewhere UsernameMatchesWithoutRealm flag.
I'll probably submit a similar patch for AuthFILE.pm shortly =)
We could have solved the problem another way, by using
EAP_PEAP_MSCHAP_Convert and another layer of indirection, but this
seemed "nasty", plus it complicated the straight MSCHAPv2 case.
Hope this helps,
Robin
--
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk Tel: +44 1865 483685 Fax: +44 1865 483073
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060607/742c93d3/attachment.bin>
More information about the radiator
mailing list