(RADIATOR) PEAP inner-username

R.H.Hoek r.h.hoek at utwente.nl
Fri Feb 9 03:33:16 CST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

We have configured our Radiator server to authenticate WLAN-users
with TTLS and PEAP.
To log the inner-username we use a hook that append the
inner-username to a class-attribute.

This works fine with TTLS. With PEAP we can't get the
inner-username. What we get is the outer-username.

How can we fix this?

- -------------------HOOK:
#!/usr/bin/perl
# -*- mode: Perl -*-
# anonymous.pl
#
# PreAuthHook ($request,$reply)
#
# Append Class-attribuut
# with "Inner-Auth=<inner authentication user>"
#

sub {
  my $ts = scalar localtime();
  my $p=${$_[0]};
  my $rp=${$_[1]};
  my $eaptype = $p->{outerRequest}->{EAPTypeName} || 'unknown';
  my $user;
  if ($eaptype eq 'TTLS') {
     $user = $p->get_attr('User-Name') || "";
  } elsif ($eaptype eq 'PEAP') {
     $user = $p->{EAPIdentity} || $p->getUserName();
  }

  if ($user) {
     $user =~ s/^([^@]+).*/$1/;   # Strip the realm
     &main::log($main::LOG_DEBUG,"\t[anonymous.pl $eaptype] Username
$user added to reply");
     $rp->add_attr('Class', "Inner-Auth=$user");
  } else {
     &main::log($main::LOG_DEBUG,"\t[anonymous.pl $eaptype] Warning:
could not determine username");
  }
}


- -------------------HANDLERS:
<Handler Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=0>

   <AuthBy FILE>
                EAPType TTLS, PEAP
		.
		.
                EAPAnonymous %u
		#EAPAnonymous %0
        </AuthBy>
</Handler>

<Handler Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=1>
        RewriteUsername s/^([^@]+).*/$1/
        RewriteUsername s/^\s*//
        PreAuthHook file:"%D/hooks/anonymous.pl"
        <AuthBy FILE>
		.
		.
        </AuthBy>
</Handler>

<Handler Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
     AuthByPolicy ContinueWhileReject
     PreAuthHook file:"%D/hooks/anonymous.pl"
     <AuthBy FILE>
             RewriteUsername s/^([^@]+).*/$1/
             RewriteUsername s/^\s*//
             RewriteUsername s/\s*$//
             Filename %D/users-wlan-peap-local
             EAPType MSCHAP-V2
     </AuthBy>
     # rewrite for username too find -not-default- account in users-file
     RewriteUsername s/^([^@]+).*/$1/
     RewriteUsername s/^\s*//
     RewriteUsername s/\s*$//
     <AuthBy FILE>
                Filename %D/users-wlan-peap
                NoEAP
        </AuthBy>
</Handler>

- --

Groeten,

Roel H.Hoek, Netwerkbeheer
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
kmr SP 422, telefoon: 053 - 489 4598,  fax: 053 - 489 2383
e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
IM-Jabber: rhhoek at gmail.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFzD/cJwlRSGnYBcYRAmyfAJ91DCk9wEFbWs7+RXh12U42QZR33QCeIGe6
0inpNbr1DLclKrXF+SsvdJc=
=+JRP
-----END PGP SIGNATURE-----

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list