(RADIATOR) RE: Multiple Logins Problem: 802.1X + PEAP + Radiator + Proxim AP-2000/AP-4000

Kheng Teong, Lim ktlim at uberfusion.com
Thu Nov 30 21:56:11 CST 2006


Hi All,
 
Urmm.. I seem to have problems sending the logs in-line in the email.
I'm guessing its due to the 80000 character limit?
 
Can I attach the logfiles as attachments instead?
 
--
Warm Regards,
Kheng Teong, Lim
 
Chief Information Officer
UberFusion Sdn. Bhd.
-----------------------------------------------------------
UberFusion Sdn. Bhd.
No. 119, (3rd Floor) Jalan SS6/12,
Kelana Jaya Urban Centre,
47301 Petaling Jaya,
Selangor Darul Ehsan, MALAYSIA.
Tel: 03-7880 6580 / Fax: 03-7880 6590
HYPERLINK "http://www.uberfusion.com/"http://www.uberfusion.com
------------------------------------------------------------
 
   _____  

From: Kheng Teong, Lim [mailto:ktlim at uberfusion.com] 
Sent: Friday, December 01, 2006 11:40 AM
To: 'radiator at open.com.au'
Subject: Multiple Logins Problem: 802.1X + PEAP + Radiator + Proxim
AP-2000/AP-4000


Hi all,
 
I'm experiencing a problem, whereby users can login multiple times from
different PC's using 802.1X with Radiator.
I have tried defining a SessionDatabase, and have also set the users
database to have a MAXLOGINS of 1.
The parameters however still don't seem to be honoured by Radiator and
Simultaneous-Use still seems to work (ie. multiple logins)
 
Client: Windows XP SP1 (and above) using Microsoft 802.1X PEAP
Server: Linux O/S + MySQL + Radiator 3.13
Wireless Access Point: Proxim AP-2000 & Proxim AP-4000
 
============================================================================
=======================
I attached herewith below the radius.cfg I'm using:
 
# eap_peap.cfg
# $Id: eap_peap.cfg,v 1.11 2005/03/17 00:40:03 mikem Exp $
 
Trace  5
 
# # Listen for authentication requests on port 1812 as per RFC 2138.
AuthPort 1645,1812
# # Listen for accounting requests on port 1813 as per RFC 2139.
AcctPort 1646,1813
 
# # For convenience, the LogDir directory name can be referred to as %L in
any file name path in this configuration file.
LogDir  /var/log/radiator
# # For convenience, the DbDir directory name can be referred to as %D in
any file name path in this configuration file.
DbDir  /etc/radiator
 
# # Log file goes in /var/log/radius, with year, month, day.
LogFile  /var/log/radiator/%Y-%m-%d-radiator.log

# # The name of the Radius dictionary file. The dictionary file defines the
names to be used for Radius
# # attributes and their values. The default is %D/dictionary , i.e. a file
called "dictionary" in DbDir.
DictionaryFile %D/dictionary
 
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
 Secret  [obscured]
 DupInterval 2
 NasType  unknown
</Client>
 
<ClientListSQL>
 DBSource dbi:mysql:radmin:localhost
 DBUsername [obscured]
 DBAuth  [obscured]
</ClientListSQL>
 
# # This is where we authenticate a PEAP inner request, which will be an EAP
# # request. The username of the inner request will be anonymous, although
# # the identity of the EAP request will be the real username we are
# # trying to authenticate.
<Handler TunnelledByPEAP=1>
 
 RejectHasReason
 
 # Windows XP when configured for a workgroup might send tunnelled user
names
      # in the format COMPUTERNAME\username (eg BAKER\mikem). This
      # will strip the computer name leaving just the user name
      # RewriteUsername s/(.*)\\(.*)/$2/
 
 <AuthBy SQL>
  Identifier SUBSCRIBERS
  DBSource dbi:mysql:radmin:localhost
  DBUsername [obscured]
  DBAuth  [obscured]
 
  Description     Database to authenticate users
 
  NoDefault
  DefaultSimultaneousUse 1
  EAPType  MSCHAP-V2
 
  AuthSelect select PASS_WORD, TIMELEFT, MAXLOGINS, VALIDFROM from RADUSERS
where USERNAME=%0 and TIMELEFT > 0 and VALIDFROM < %t
  AuthColumnDef 0,User-Password,check
  AuthColumnDef 1,Session-Timeout,reply
  AuthColumnDef 2,Simultaneous-Use,check
 </AuthBy>
 
 # # This hook fixes the problem with some implementations of PEAP, where
the
 # # accounting requests have the User-Name of anonymous, instead of the
real
 # # users name. After authenticating the inner TTLS request, the
 # # PostAuthHook caches the _real_ user name in an SQL table,
 # # The PreProcessingHook replaces the 'anonymous' user name in 
 # # accounting requests with the 
 # # real user name that was previously cached for the NAS and NAS-Port.
 # # You can see the correct real User-Name logged in the AcctLogFileName
 # # Must be used in conjunction with PreProcessingHook below
# PostAuthHook file:"goodies/eap_anon_hook.pl"
</Handler>

# # The original PEAP request from a NAS will be sent to a matching
# # Realm or Handler in the usual way, where it will be unpacked and the
inner authentication
# # extracted.
# # The inner authentication request will be sent again to a matching
# # Realm or Handler. The special check item TunnelledByPEAP=1 can be used
to select
# # a specific handler, or else you can use EAPAnonymous to set a username
and realm
# # which can be used to select a Realm clause for the inner request.
# # This allows you to select an inner authentication method based on Realm,
and/or the
# # fact that they were tunnelled. You can therfore act just as a PEAP
server, or also 
# # act as the AAA/H home server, and authenticate PEAP requests locally or
proxy
# # them to another remote server based on the realm of the inner
authenticaiton request.
# # In this basic example, both the inner and outer authentication are
authenticated
# # from a file by AuthBy FILE
<Handler>
 <AuthBy SQL>
  Identifier SUBSCRIBERS
  DBSource dbi:mysql:radmin:localhost
  DBUsername [obscured]
  DBAuth  [obscured]
 
  Description Database to authenticate users
 
  NoDefault
  DefaultSimultaneousUse  1
 
  AuthSelect select PASS_WORD, TIMELEFT, MAXLOGINS, VALIDFROM from RADUSERS
where USERNAME=%0 and TIMELEFT > 0 and VALIDFROM < %t
  AuthColumnDef 0,User-Password,check
  AuthColumnDef 1,Session-Timeout,reply
  AuthColumnDef 2,Simultaneous-Use,check
 
  AutoMPPEKeys
  SSLeayTrace 4
 
  # EAPType sets the EAP type(s) that Radiator will honour.
  # Options are: MD5-Challenge, One-Time-Password
  # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
  # Multiple types can be comma separated. With the default (most
  # preferred) type given first
  EAPType    PEAP
  EAPTLS_CAFile   %D/certificates/cacert.pem
  # EAPTLS_CAPath
  EAPTLS_CertificateFile  %D/certificates/tem_dom.pem
  EAPTLS_CertificateType  PEM
  EAPTLS_PrivateKeyFile  %D/certificates/tem_dom.key
  # EAPTLS_PrivateKeyPassword whatever
  # EAPTLS_RandomFile  %D/certificates/random
  EAPTLS_MaxFragmentSize  1000
  # EAPTLS_DHFile   %D/certificates/cert/dh
  # EAPTLS_CRLCheck
  # EAPTLS_CRLFile  %D/certificates/crl.pem
  # EAPTLS_CRLFile  %D/certificates/revocations.pem
  # EAPAnonymous   HYPERLINK
"mailto:anonymous at some.other.realm"anonymous at some.other.realm
  EAPTLS_SessionResumption 0
  # EAPTLS_SessionResumptionLimit 10
  EAPTLS_PEAPVersion  0
  # EAPTLS_PEAPBrokenV1Label
 
  AccountingTable RADUSAGE
  AcctColumnDef USERNAME,User-Name
  AcctColumnDef TIME_STAMP,%b-0%{Acct-Session-Time},literal
  AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
  AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
  AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
  AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
  AcctColumnDef ACCTSESSIONID,Acct-Session-Id
  AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
  AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
  AcctColumnDef DNIS,Called-Station-Id
  AcctColumnDef FRAMEDIPADDRESS,Calling-Station-Id
  AcctColumnDef NASIDENTIFIER,NAS-IP-Address
  AcctColumnDef NASIDENTIFIER,NAS-Identifier
  AcctColumnDef NASPORT,NAS-Port,integer
 
  HandleAcctStatusTypes Stop
 </AuthBy>
    
 <AuthLog SQL>
  # This database spec usually should be exactly the same
  # as in <AuthBy SQL> above
  DBSource dbi:mysql:radmin:localhost
  DBUsername [obscured]
  DBAuth  [obscured]
        
  LogSuccess
  SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values
(%t, '%n', 1)
  LogFailure
  FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON)
values (%t, '%n', 0, %1)
 </AuthLog>
 
 # This hook fixes the problem with some implementations of PEAP, where the
 # accounting requests have the User-Name of anonymous, instead of the real
 # users name. After authenticating the inner TTLS request, the
 # PostAuthHook caches the _real_ user name in an SQL table,
 # The PreProcessingHook replaces the 'anonymous' user name in 
 # accounting requests with the 
 # real user name that was previously cached for the NAS and NAS-Port.
 # You can see the correct real User-Name logged in the AcctLogFileName
 # Must be used in conjunction with PostAuthHook above
# PreProcessingHook file:"goodies/eap_anon_hook.pl"
</Handler>
 
<SessionDatabase SQL>
 Identifier SQLSESSIONDB
 # This database spec usually should be exactly the same
 # as in <AuthBy SQL> above
 DBSource dbi:mysql:radmin:localhost
 DBUsername [obscured]
 DBAuth  [obscured]
 Description SQL Session Database
 
 AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,
ACCTSESSIONID, TIME_STAMP, \
 FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('%u', '%1', %2, %3,
%{Timestamp}, \
 '%{Calling-Station-Id}', '%{NAS-Port-Type}', '%{Service-Type}')
 
 # DeleteQuery delete from RADONLINE where ACCTSESSIONID = %3
 DeleteQuery delete from RADONLINE where NASIDENTIFIER='%1' and
ACCTSESSIONID = %3
 
 ClearNasQuery delete from RADONLINE where NASIDENTIFIER = '%0'
 
 CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID, from RADONLINE
where USERNAME = '%u'
</SessionDatabase>
============================================================================
======================= 
 
I will be attaching the log in the next email as the mailing list has a
limit of lines allowed.
 
 Any help would be extremely appreciated.
 
Thanks.
 
--
Warm Regards,
Kheng Teong, Lim
 
Chief Information Officer
UberFusion Sdn. Bhd.
-----------------------------------------------------------
UberFusion Sdn. Bhd.
No. 119, (3rd Floor) Jalan SS6/12,
Kelana Jaya Urban Centre,
47301 Petaling Jaya,
Selangor Darul Ehsan, MALAYSIA.
Tel: 03-7880 6580 / Fax: 03-7880 6590
HYPERLINK "http://www.uberfusion.com/"http://www.uberfusion.com
------------------------------------------------------------

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.2/560 - Release Date: 11/30/2006
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20061201/b6da0c45/attachment.html>


More information about the radiator mailing list