(RADIATOR) AuthByPolicy ContinueUntilAccept problems

Robin Breathe rbreathe at brookes.ac.uk
Sat May 27 05:03:32 CDT 2006 

On 27 May 2006, at 05:49, Hugh Irvine wrote:
> Why not do the Realm check in the Handlers?

We need to authenticate users based upon the outer-realm and the  
inner-username. The problem becomes passing the outer-realm to the  
TunnelledBy.... Handler. In the EAP case, we can use "EAPAnonymous  
anonymous@%R" in AuthBy TUNNEL and follow your suggestion (this is  
what we did initially). Unfortunately this breaks down with non-EAP  
inner authentication methods (e.g. TTLS/MSCHAPv2), thus my somewhat  
convoluted attempt at choosing an appropriate AuthBy via a sequence  
of AuthBy GROUP and INTERNAL clauses.
We need to pick the inner handler based upon the outer Realm.

> <Handler Realm = cis.brookes.ac.uk, TunnelledByPEAP=1>
>     ....
> </Handler>
>
> <Handler Realm = cis.brookes.ac.uk, TunnelledByTTLS=1>
>     ....
> </Handler>
>
> <Handler>
>     AuthByPolicy ContinueWhileAccept
>     AuthBy TUNNEL
>     AuthBy AUTHORIZE
>     StripFromReply Inner-User,Inner-Realm,Outer-User,Outer-Realm
> </Handler>

> I'm afraid I don't understand what exactly you are wanting to do so  
> it makes it a bit hard to make sensible suggestions.

I can appreciate that :)
The crux of the issue is this section:

>> <AuthBy GROUP>
>>     Identifier AUTHENTICATE
>>     AuthByPolicy ContinueUntilAccept
>>     AuthBy AUTH-CIS
>>     AuthBy AUTH-DEFAULT
>> </AuthBy>

We don't want the AUTH-DEFAULT AuthBy to be called unless AUTH-CIS  
returns something other than Access-Accept. In the non-EAP case, the  
logic works perfectly. But in the EAP case, both initiate MSCHAP-V2  
challenges, and AUTH-DEFAULT runs even after AUTH-CIS has returned  
Access-Accept - seemingly violating the "ContinueUntilAccept" logic.

Is there a hook we could use to modify the User-Name in the inner  
request before it reaches the "Realm=...,TunnelledBy...." Handlers,  
while leaving the original request untouched?

Best regards,
Robin
--
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk                          Tel: +44 (0)1865 483685


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 163 bytes
Desc: This is a digitally signed message part
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060527/29ca0e82/attachment.bin>

More information about the radiator mailing list