(RADIATOR) Fwd: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP
Hugh Irvine
hugh at open.com.au
Thu Apr 12 03:18:03 CDT 2007
Hello Rogier -
Thanks for the additional information.
I have had a look at the debug traces and I am a bit confused as to
what I am looking at.
Could you please provide a bit more detail about the tests you have
tried and the expected outcomes versus the actual outcomes?
regards
Hugh
On 10 Apr 2007, at 22:49, Rogier Krieger wrote:
> After trying several times, the list server appears to quietly refuse
> the trace dumps I wanted to send along (~300 KB). Hence a try without
> the dumps, with (temporary) links to them online.
>
> http://www.iverdahl.net/pub/radiator-trace/
>
>
> ---------- Forwarded message ----------
> From: Rogier Krieger <rkrieger at gmail.com>
> Date: Apr 10, 2007 10:22 AM
> Subject: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP
> To: Radiator list <radiator at open.com.au>
>
>
> Dear list,
>
> Now that both EAP-TTLS PEAP-MSCHAP-V2 are working for me, I felt it
> was time to add a bit of breakage. I am trying to achieve the
> following things:
>
> + Support for multiple realms for an EAP inner identity
> -> Regular users (@domain.tld) - from a central LDAP
> -> Visitors (@visitor.domain.tld) - from a simple database
> (to be built)
> + A single EAP outer identity: anonymous at domain.tld
>
> I intend to do this using various <Handler> clauses that define
> appropriate criteria (TunneledByTTLS=1) and realms
> (Realm=visitor.domain.tld). I included my configuration with this
> message. Reading the manual, I gather I should use the EAPAnonymous
> parameter to achieve the above. I am using EAPAnonymous %0.
>
>
> Expected issue:
> When using the EAPAnonymous parameter (set to %0), I seem to get
> different results dependent on whether the supplicant uses EAP-TTLS or
> PEAP. TTLS works out of the box, but PEAP seems to handle the request
> based on the *outer* EAP identity.
>
>
> Testing:
> I ran several scenarios, with varying outer and inner identities. I
> included traces for both TTLS and PEAP. For an outer identity, I use
> anonymous@$realm. On the inside, I authenticate with my test user
> (test@$realm).
>
> Outer identity Inner identity
> 1 iverdahl.net iverdahl.net
> 2 iverdahl.net visitor.iverdahl.net
> 3 visitor.iverdahl.net iverdahl.net
> 4 visitor.iverdahl.net visitor.iverdahl.net
>
> In every case, I expect the final handler to correspond with the inner
> identity realm. Unfortunately, my results are different:
>
> Expected TTLS result PEAP result
> 1 iverdahl.net OK OK
> 2 visitor.iverdahl.net OK FAIL (iverdahl.net)
> 3 iverdahl.net OK FAIL (visitor.iverdahl.net)
> 4 visitor.iverdahl.net OK OK
>
>> From the above, I suspect Radiator uses the outer identity with the
> inner handler. Can you confirm this? I included both my configuration
> and trace outputs for the specific requests.
>
> Cheers,
>
> Rogier
> <radius.cfg>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list