(RADIATOR) AuthByPolicy ContinueUntilAccept problems

Robin Breathe rbreathe at brookes.ac.uk
Wed Jun 7 12:26:57 CDT 2006 

Matthew Alexander wrote:
> I'm curious as to why you would need the UsernameMatchesWithoutRealm
> flag. Why couldn't you just RewriteUsername?
> 
> It looks like I am working on something very similar (PEAP EAP-MSCHAPv2
> machine + user auth via AuthBy NTLM).  I just used RewriteUsername to
> get rid of the realm.  Did you run into an issue that I can look forward
> to experiencing?

Matt,

My reasoning was pretty straight-forward actually. We want to support
multiple EAP types: PEAP/EAP-MSCHAPv2 (e.g. Windows XP supplicant),
TTLS/EAP-MSCHAPv2 (e.g. SecureW2 supplicant) and TTLS/MSCHAPv2 (e.g. Mac
OS X supplicant). However, RewriteUsername in the AuthBy context doesn't
do what we expect when our inner authentication mechanism is
EAP-MSCHAPv2. I believe this is because it rewrites the User-Name
attribute, as set by EAPAnonymous, rather than the EAPIdentity which is
wrapped up in an EAP-Message. As a result, the following does what you
expect for TTLS/MSCHAPv2 but not for TTLS/EAP-MSCHAPv2 or PEAP/EAP-MSCHAPv2:

<AuthBy FILE>
        Identifier AUTH-EXT
        EAPType MSCHAP-V2
	# Want to authenticate "user" from "user at realm":
        RewriteUsername s/^([^@]*)@.*$/$1/
        Filename %D/users-ext
</AuthBy>

The same goes for all AuthBy types, we just happened to be using
AuthNTLM.pm, so that's the one I patched to support the
undocumented-but-used-elsewhere UsernameMatchesWithoutRealm flag.
I'll probably submit a similar patch for AuthFILE.pm shortly =)

We could have solved the problem another way, by using
EAP_PEAP_MSCHAP_Convert and another layer of indirection, but this
seemed "nasty", plus it complicated the straight MSCHAPv2 case.

Hope this helps,
Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060607/742c93d3/attachment.bin>

More information about the radiator mailing list