(RADIATOR) How to pass Reply-Message from inside to outside of PEAP tunnel?

Robin Breathe rbreathe at brookes.ac.uk
Fri May 26 03:52:15 CDT 2006 

Hugh Irvine wrote:
> I suggest you move the AUTHORIZE clause to the outer Handler:
>
> ...snip...
> 
> Please let me know how you get on.

Hugh,

I had considered that option (and I have just tried it), but
unfortunately AUTHORIZE depends upon pseudo-attributes of the inner
request which are generated by hooks within the inner handler, so
basically the question again becomes how can I set a property of the
outer request within the inner request?

I've tried pushing attributes out using
${$_[0]}->{outerRequest}->set_attr() with (Pre|Post)AuthHooks in the
TunnelledByPEAP handler, but the attributes don't seem to be there when
I return to the outer handler.

If I can get inner to outer attribute passing working, then pushing
AUTHORIZE to the outer Handler is certainly the way to go!

Regards,
Robin

> On 26 May 2006, at 00:24, Robin Breathe wrote:
> 
>> Hi,
>>
>> We're using Radiator for wireless 802.1X AAA with PEAP/EAP-MSCHAPv2.
>> Following authentication, we have an AuthBy SQL performing
>> authorization. One of our returned check items is an Auth-Type with the
>> column containing either "Accept" or "Reject:(reason)". We want to
>> return the (reason) to the client in the Reply-Message, but the
>> RejectHasReason option only seems to affect the inner handler. The outer
>> handler simply replying with the generic "PEAP Authentication Failure"
>> when RejectHasReason is set, and with "Request Denied" otherwise.
>>
>> Is there any way around this?
>>
>> The relevant section of our configuration:
>>
>> <AuthBy FILE>
>>     Identifier Tunnel-Outer
>>     EAPType PEAP,TTLS
>>     EAPTLS_CAFile %{GlobalVar:oxCertDir}/cacert.crt
>>     EAPTLS_CertificateFile  %{GlobalVar:oxCertDir}/radius.crt
>>     EAPTLS_CertificateType PEM
>>     EAPTLS_PrivateKeyFile   %{GlobalVar:oxCertDir}/radius.key
>>     EAPTLS_MaxFragmentSize 1000
>>     EAPTLS_PEAPVersion 1
>>     # The following seems to fix Airport client with PEAP on 3com
>>     EAPTLS_PEAPBrokenV1Label
>>     EAPAnonymous anonymous@%R
>>     AutoMPPEKeys
>> </AuthBy>
>> <Handler TunnelledByPEAP=1>
>>     AuthByPolicy ContinueWhileAccept
>>     AuthBy AUTHENTICATE
>>     AuthBy AUTHORIZE
>>     RejectHasReason
>> </Handler>
>> <Handler>
>>     AuthBy Tunnel-Outer
>>     RejectHasReason
>> </Handler>


-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060526/61807a62/attachment.bin>

More information about the radiator mailing list