(RADIATOR) AuthByPolicy ContinueUntilAccept problems

Matthew Alexander mra4d at virginia.edu
Wed Jun 7 22:45:43 CDT 2006 

Thanks for the explanation Robin.  That clears things up a bit.  I'm able to 
RewriteUsername in a handler clause, because I don't have the same 
requirements as you - yet.  I suspect I'll be going over your messages on 
this list again in the future.

Matt

Matthew Alexander wrote:
> I'm curious as to why you would need the UsernameMatchesWithoutRealm
> flag. Why couldn't you just RewriteUsername?
>
> It looks like I am working on something very similar (PEAP EAP-MSCHAPv2
> machine + user auth via AuthBy NTLM).  I just used RewriteUsername to
> get rid of the realm.  Did you run into an issue that I can look forward
> to experiencing?

Matt,

My reasoning was pretty straight-forward actually. We want to support
multiple EAP types: PEAP/EAP-MSCHAPv2 (e.g. Windows XP supplicant),
TTLS/EAP-MSCHAPv2 (e.g. SecureW2 supplicant) and TTLS/MSCHAPv2 (e.g. Mac
OS X supplicant). However, RewriteUsername in the AuthBy context doesn't
do what we expect when our inner authentication mechanism is
EAP-MSCHAPv2. I believe this is because it rewrites the User-Name
attribute, as set by EAPAnonymous, rather than the EAPIdentity which is
wrapped up in an EAP-Message. As a result, the following does what you
expect for TTLS/MSCHAPv2 but not for TTLS/EAP-MSCHAPv2 or PEAP/EAP-MSCHAPv2:

<AuthBy FILE>
        Identifier AUTH-EXT
        EAPType MSCHAP-V2
 # Want to authenticate "user" from "user at realm":
        RewriteUsername s/^([^@]*)@.*$/$1/
        Filename %D/users-ext
</AuthBy>

The same goes for all AuthBy types, we just happened to be using
AuthNTLM.pm, so that's the one I patched to support the
undocumented-but-used-elsewhere UsernameMatchesWithoutRealm flag.
I'll probably submit a similar patch for AuthFILE.pm shortly =)

We could have solved the problem another way, by using
EAP_PEAP_MSCHAP_Convert and another layer of indirection, but this
seemed "nasty", plus it complicated the straight MSCHAPv2 case.

Hope this helps,
Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list