(RADIATOR) Multiple Logins Problem: 802.1X + PEAP + Radiator + Proxim AP-2000/AP-4000
Kheng Teong, Lim
ktlim at uberfusion.com
Thu Nov 30 21:40:10 CST 2006
Hi all,
I'm experiencing a problem, whereby users can login multiple times from
different PC's using 802.1X with Radiator.
I have tried defining a SessionDatabase, and have also set the users
database to have a MAXLOGINS of 1.
The parameters however still don't seem to be honoured by Radiator and
Simultaneous-Use still seems to work (ie. multiple logins)
Client: Windows XP SP1 (and above) using Microsoft 802.1X PEAP
Server: Linux O/S + MySQL + Radiator 3.13
Wireless Access Point: Proxim AP-2000 & Proxim AP-4000
============================================================================
=======================
I attached herewith below the radius.cfg I'm using:
# eap_peap.cfg
# $Id: eap_peap.cfg,v 1.11 2005/03/17 00:40:03 mikem Exp $
Trace 5
# # Listen for authentication requests on port 1812 as per RFC 2138.
AuthPort 1645,1812
# # Listen for accounting requests on port 1813 as per RFC 2139.
AcctPort 1646,1813
# # For convenience, the LogDir directory name can be referred to as %L in
any file name path in this configuration file.
LogDir /var/log/radiator
# # For convenience, the DbDir directory name can be referred to as %D in
any file name path in this configuration file.
DbDir /etc/radiator
# # Log file goes in /var/log/radius, with year, month, day.
LogFile /var/log/radiator/%Y-%m-%d-radiator.log
# # The name of the Radius dictionary file. The dictionary file defines the
names to be used for Radius
# # attributes and their values. The default is %D/dictionary , i.e. a file
called "dictionary" in DbDir.
DictionaryFile %D/dictionary
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret [obscured]
DupInterval 2
NasType unknown
</Client>
<ClientListSQL>
DBSource dbi:mysql:radmin:localhost
DBUsername [obscured]
DBAuth [obscured]
</ClientListSQL>
# # This is where we authenticate a PEAP inner request, which will be an EAP
# # request. The username of the inner request will be anonymous, although
# # the identity of the EAP request will be the real username we are
# # trying to authenticate.
<Handler TunnelledByPEAP=1>
RejectHasReason
# Windows XP when configured for a workgroup might send tunnelled user
names
# in the format COMPUTERNAME\username (eg BAKER\mikem). This
# will strip the computer name leaving just the user name
# RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy SQL>
Identifier SUBSCRIBERS
DBSource dbi:mysql:radmin:localhost
DBUsername [obscured]
DBAuth [obscured]
Description Database to authenticate users
NoDefault
DefaultSimultaneousUse 1
EAPType MSCHAP-V2
AuthSelect select PASS_WORD, TIMELEFT, MAXLOGINS, VALIDFROM from RADUSERS
where USERNAME=%0 and TIMELEFT > 0 and VALIDFROM < %t
AuthColumnDef 0,User-Password,check
AuthColumnDef 1,Session-Timeout,reply
AuthColumnDef 2,Simultaneous-Use,check
</AuthBy>
# # This hook fixes the problem with some implementations of PEAP, where
the
# # accounting requests have the User-Name of anonymous, instead of the
real
# # users name. After authenticating the inner TTLS request, the
# # PostAuthHook caches the _real_ user name in an SQL table,
# # The PreProcessingHook replaces the 'anonymous' user name in
# # accounting requests with the
# # real user name that was previously cached for the NAS and NAS-Port.
# # You can see the correct real User-Name logged in the AcctLogFileName
# # Must be used in conjunction with PreProcessingHook below
# PostAuthHook file:"goodies/eap_anon_hook.pl"
</Handler>
# # The original PEAP request from a NAS will be sent to a matching
# # Realm or Handler in the usual way, where it will be unpacked and the
inner authentication
# # extracted.
# # The inner authentication request will be sent again to a matching
# # Realm or Handler. The special check item TunnelledByPEAP=1 can be used
to select
# # a specific handler, or else you can use EAPAnonymous to set a username
and realm
# # which can be used to select a Realm clause for the inner request.
# # This allows you to select an inner authentication method based on Realm,
and/or the
# # fact that they were tunnelled. You can therfore act just as a PEAP
server, or also
# # act as the AAA/H home server, and authenticate PEAP requests locally or
proxy
# # them to another remote server based on the realm of the inner
authenticaiton request.
# # In this basic example, both the inner and outer authentication are
authenticated
# # from a file by AuthBy FILE
<Handler>
<AuthBy SQL>
Identifier SUBSCRIBERS
DBSource dbi:mysql:radmin:localhost
DBUsername [obscured]
DBAuth [obscured]
Description Database to authenticate users
NoDefault
DefaultSimultaneousUse 1
AuthSelect select PASS_WORD, TIMELEFT, MAXLOGINS, VALIDFROM from RADUSERS
where USERNAME=%0 and TIMELEFT > 0 and VALIDFROM < %t
AuthColumnDef 0,User-Password,check
AuthColumnDef 1,Session-Timeout,reply
AuthColumnDef 2,Simultaneous-Use,check
AutoMPPEKeys
SSLeayTrace 4
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType PEAP
EAPTLS_CAFile %D/certificates/cacert.pem
# EAPTLS_CAPath
EAPTLS_CertificateFile %D/certificates/tem_dom.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/tem_dom.key
# EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile %D/certificates/random
EAPTLS_MaxFragmentSize 1000
# EAPTLS_DHFile %D/certificates/cert/dh
# EAPTLS_CRLCheck
# EAPTLS_CRLFile %D/certificates/crl.pem
# EAPTLS_CRLFile %D/certificates/revocations.pem
# EAPAnonymous HYPERLINK
"mailto:anonymous at some.other.realm"anonymous at some.other.realm
EAPTLS_SessionResumption 0
# EAPTLS_SessionResumptionLimit 10
EAPTLS_PEAPVersion 0
# EAPTLS_PEAPBrokenV1Label
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,%b-0%{Acct-Session-Time},literal
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef DNIS,Called-Station-Id
AcctColumnDef FRAMEDIPADDRESS,Calling-Station-Id
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
HandleAcctStatusTypes Stop
</AuthBy>
<AuthLog SQL>
# This database spec usually should be exactly the same
# as in <AuthBy SQL> above
DBSource dbi:mysql:radmin:localhost
DBUsername [obscured]
DBAuth [obscured]
LogSuccess
SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values
(%t, '%n', 1)
LogFailure
FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON)
values (%t, '%n', 0, %1)
</AuthLog>
# This hook fixes the problem with some implementations of PEAP, where the
# accounting requests have the User-Name of anonymous, instead of the real
# users name. After authenticating the inner TTLS request, the
# PostAuthHook caches the _real_ user name in an SQL table,
# The PreProcessingHook replaces the 'anonymous' user name in
# accounting requests with the
# real user name that was previously cached for the NAS and NAS-Port.
# You can see the correct real User-Name logged in the AcctLogFileName
# Must be used in conjunction with PostAuthHook above
# PreProcessingHook file:"goodies/eap_anon_hook.pl"
</Handler>
<SessionDatabase SQL>
Identifier SQLSESSIONDB
# This database spec usually should be exactly the same
# as in <AuthBy SQL> above
DBSource dbi:mysql:radmin:localhost
DBUsername [obscured]
DBAuth [obscured]
Description SQL Session Database
AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,
ACCTSESSIONID, TIME_STAMP, \
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('%u', '%1', %2, %3,
%{Timestamp}, \
'%{Calling-Station-Id}', '%{NAS-Port-Type}', '%{Service-Type}')
# DeleteQuery delete from RADONLINE where ACCTSESSIONID = %3
DeleteQuery delete from RADONLINE where NASIDENTIFIER='%1' and
ACCTSESSIONID = %3
ClearNasQuery delete from RADONLINE where NASIDENTIFIER = '%0'
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID, from RADONLINE
where USERNAME = '%u'
</SessionDatabase>
============================================================================
=======================
I will be attaching the log in the next email as the mailing list has a
limit of lines allowed.
Any help would be extremely appreciated.
Thanks.
--
Warm Regards,
Kheng Teong, Lim
Chief Information Officer
UberFusion Sdn. Bhd.
-----------------------------------------------------------
UberFusion Sdn. Bhd.
No. 119, (3rd Floor) Jalan SS6/12,
Kelana Jaya Urban Centre,
47301 Petaling Jaya,
Selangor Darul Ehsan, MALAYSIA.
Tel: 03-7880 6580 / Fax: 03-7880 6590
HYPERLINK "http://www.uberfusion.com/"http://www.uberfusion.com
------------------------------------------------------------
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.2/560 - Release Date: 11/30/2006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20061201/0647744f/attachment.html>
More information about the radiator
mailing list