(RADIATOR) rewriteusername and mschapv2

José María Fernández chema at uniovi.es
Fri Jun 16 06:32:31 CDT 2006 

Hi from University of Oviedo,

Until now, we are using to authenticate the default handler, using the
following sequence:

Authby LDAP (to retrieve users atributes)
Authby LSA (to authenticate the user)

We are supporting EAP-TTLS and EAP-PEAP with MSCAHP-V2.

Now, we have to provide services to some different realms, but when we
try to rewrite the username John at uniovi.es to John (eliminating the
realm), we cannot validate the user with MSCHAPV2. Any suggestions?


Thanks in advance,

Jose Maria Fernandez
Servicio de Informatica
Universidad de Oviedo

Our radius.cfg looks like this:
______________________________________________________________________________
# $Id: radius.cfg,v 1.3 2005/06/20 20:00:10 chema Exp $

Foreground
LogStdout
LogDir        c:/Program Files/Radiator
DbDir        c:/Program Files/Radiator
# User a lower trace level in production systems:
Trace         4

<Client DEFAULT>
    Secret    XXXXXXXXXXXXXXXX
    DupInterval 0
IgnoreAcctSignature
</Client>

<SessionDatabase SQL>
    Identifier SQLSession
    DBSource    dbi:mysql:radius
    DBUsername    XXXXXXXXXXXXXXX
    DBAuth        XXXXXXXXXXXX
</SessionDatabase>


<AuthBy SQL>
    Identifier SQLAccounting
    DBSource    dbi:mysql:radius
    DBUsername    XXXXXXXXXXXXXXX
    DBAuth        XXXXXXXXXXXX
      #Clausula vacia para que no autentique
    AuthSelect

    AccountingTable    ACCOUNTING
    AcctColumnDef    USERNAME,User-Name
    AcctColumnDef    TIME_STAMP,Timestamp,integer
    AcctColumnDef    ACCTSTATUSTYPE,Acct-Status-Type
    AcctColumnDef    ACCTDELAYTIME,Acct-Delay-Time,integer
    AcctColumnDef    ACCTINPUTOCTETS,Acct-Input-Octets,integer
    AcctColumnDef    ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
    AcctColumnDef    ACCTSESSIONID,Acct-Session-Id
    AcctColumnDef    ACCTSESSIONTIME,Acct-Session-Time,integer
    AcctColumnDef    ACCTTERMINATECAUSE,Acct-Terminate-Cause
    AcctColumnDef    NASIDENTIFIER,NAS-Identifier
    AcctColumnDef    NASPORT,NAS-Port,integer
    AcctColumnDef    FRAMEDIPADDRESS,Framed-IP-Address

    AcctFailedLogFileName c:/Program Files/Radiator/missedaccounting

    SQLRecoveryFile c:/Program Files/Radiator/missedaccounting
</AuthBy>

    <AuthBy LSA>
        Identifier LSAAuthentication
#        IgnoreAccounting
        DefaultSimultaneousUse 1
        EAPType PEAP, TTLS
        EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
        EAPTLS_CertificateFile %D/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_MaxFragmentSize 1000
        AutoMPPEKeys
        SSLeayTrace 1
        EAPAnonymous %U
    </AuthBy>

    <AuthBy LSA>
        Identifier LSAInner
        NoEAP       
    </AuthBy>

    <AuthBy LSA>
        Identifier LSAInnerPEAP
        RewriteUsername s/(.*)\\(.*)/$2/
        RewriteUsername s/^([^@]+).*/$1/
        EAPType MSCHAP-V2
    </AuthBy>


    <AuthBy LDAP2>
        Identifier LDAPAttributes
        Host        localhost
        AuthDN    cn=Administrador,cn=XXXXXX,dc=XXXXXXXX,dc=uniovi,dc=es
        AuthPassword    XXXXXXXXXX
        BaseDN    dc=XXXXXXXXX,dc=uniovi,dc=es
        UsernameAttr    sAMAccountName
        NoCheckPassword
        AuthAttrDef UOPerfil,Class,reply
    #    Debug 255
        Version 3
        NoEAP
    </AuthBy>

<AuthBy FILE>
    Identifier fichero
        Filename c:/Program Files/Radiator/usuario
    </AuthBy>



#<StatsLog FILE>
#    Interval 2
#    Filename -
#    Format %0:%1:%2:%23:%6:%3:%5
#    Header
#</StatsLog>

<Monitor>
    # Specifies the TCP port to use. Defaults to 9048
    #Port  7777
    #Port %{GlobalVar:monitorport}
    BindAddress XXXXXXXXXXXXX, 127.0.0.1
    Username XXXXXXX
    Password XXXXXXX

    # IF you set TraceOnly, connections through this Monitor are
    # prevented from getting statistics, or getting or setting
    # configuration data, or restarting the server
    # TraceOnly

    # Clients let you specify which clients you will accept connects from
    # You can specify one or more comma or space separated IP addresses
    Clients XXXXXXXXXXXXXXXXXXXXXXXXXX

</Monitor>

<Handler TunnelledByPEAP=1>
    AuthByPolicy ContinueWhileAccept
    AuthBy LDAPAttributes
    AuthBy LSAInnerPEAP
AuthBy fichero
</Handler>

<Handler TunnelledByTTLS=1>
    AuthByPolicy ContinueWhileAccept
    AuthBy LDAPAttributes
    AuthBy LSAInner
AuthBy fichero
    PostProcessingHook file:"c:/Program
Files/Radiator/eap_acct_username.pl"
</Handler>

<Handler>
    AuthByPolicy ContinueAlways
    RewriteUsername s/(.*)\\(.*)/$2/
    RewriteUsername s/^([^@]+).*/$1/
    AcctLogFileName  %L/accounting_%h_%Y%m
    AuthBy SQLAccounting
    AuthBy LSAAuthentication
    SessionDatabase SQLSession
#    PostProcessingHook file:"c:/Program
Files/Radiator/eap_acct_username.pl"
</Handler>

<Realm uniovi.es>
    AuthByPolicy ContinueAlways
    AcctLogFileName  %L/accounting_%h_%Y%m
    AuthBy SQLAccounting
    AuthBy LSAAuthentication
    SessionDatabase SQLSession
#    PostProcessingHook file:"c:/Program
Files/Radiator/eap_acct_username.pl"
</Realm>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list