(RADIATOR) Fwd: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP

Hugh Irvine hugh at open.com.au
Sat Apr 14 03:56:49 CDT 2007


Hello Rogier -

Thanks for the additional information.

Could you also tell me what outer username you used in all cases as  
well as what client supplicant you used?

thanks and regards

Hugh


On 12 Apr 2007, at 23:05, Rogier Krieger wrote:

> Hello Hugh,
>
> On 4/12/07, Hugh Irvine <hugh at open.com.au> wrote:
>> Could you please provide a bit more detail about the tests you have
>> tried and the expected outcomes versus the actual outcomes?
>
> The tests are rather simple, really. I would like to handle requests
> with different EAP *inner* identities by different <Handler> clauses
> and at the same time support both TTLS and PEAP. Hence the four
> handlers: TunneledBy(TTLS|PEAP)=1, Realm=[visitor.]iverdahl.net
>
> Two EAP types, each one for two realms, equals four <Handler> clauses.
>
>
> Expectations:
> By setting EAPAnonymous %0, I expect the inner request (that I believe
> should be handled by the TunneledBy(TTLS|PEAP) condition) to match on
> the second condition (Realm=) as well. For TTLS, that seems to be the
> case (even when I'm not using EAPAnonymous %0). I would like for PEAP
> to work similarly.
>
>
> Test setup:
> The reason for 8 dumps is that I test both TTLS and PEAP, and for each
> of those, vary both the outer and inner identities to see how Radiator
> handles those authentication requests. In every case, I expect
> Radiator to select a handler based on the Realm of the EAP inner
> identity. When the outer and inner identities differ, this is meant as
> a check: Radiator should choose a handler based on the inner EAP
> identity.
>
>
> Test results:
> For TTLS, Radiator seems to do this. For PEAP, however, Radiator seems
> to select a handler based upon the EAP outer identity, even though the
> manual leads me to believe EAPAnonymous %0 should use the EAP inner
> identity for the request.
>
>
> Does the above clarify things?
>
> Cheers,
>
> Rogier
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list