(RADIATOR) PEAP inner-username

Ernst Oudhof e.oudhof at mailfrom.nl
Fri Feb 9 04:53:37 CST 2007 

Hi,

This is probably because you're hook is used as a preauthhook
I'm using the following code to reply the username to the nas and get
correct authlog output.

sub
{
    my ($p, $rp, $handled, $reason) = @_;
    if (${$p}->code() eq 'Access-Request' && $$handled == $main::ACCEPT)
    {
        if (${$p}->{outerRequest})
        {
            # This is in a PostAuthHook _after_ the inner Access-Request
has been accepted
            # It rewrites the username to the EAP identitiy or the User-Name
            my $username = ${$p}->{EAPIdentity};
            $username = ${$p}->getUserName() unless defined $username;
            my @W = split(/@/, ${$p}->{outerRequest}->{OriginalUserName});
            my @U = split(/@/, $username);
            # Add realm name from outer request
            $username = $U[0] . "\@" . $W[1] if defined $W[1];
            ${$rp}->changeUserName($username) if defined $username;
        }
        else
        {
            # This is in a PostAuthHook after the outer Access-Request has
been accepted
            # it is used to have a correct authlog
            ${$p}->changeUserName(${$rp}->getUserName());
        }
    }
}

regards,

Ernst Oudhof



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> We have configured our Radiator server to authenticate WLAN-users
> with TTLS and PEAP.
> To log the inner-username we use a hook that append the
> inner-username to a class-attribute.
>
> This works fine with TTLS. With PEAP we can't get the
> inner-username. What we get is the outer-username.
>
> How can we fix this?
>
> - -------------------HOOK:
> #!/usr/bin/perl
> # -*- mode: Perl -*-
> # anonymous.pl
> #
> # PreAuthHook ($request,$reply)
> #
> # Append Class-attribuut
> # with "Inner-Auth=<inner authentication user>"
> #
>
> sub {
>   my $ts = scalar localtime();
>   my $p=${$_[0]};
>   my $rp=${$_[1]};
>   my $eaptype = $p->{outerRequest}->{EAPTypeName} || 'unknown';
>   my $user;
>   if ($eaptype eq 'TTLS') {
>      $user = $p->get_attr('User-Name') || "";
>   } elsif ($eaptype eq 'PEAP') {
>      $user = $p->{EAPIdentity} || $p->getUserName();
>   }
>
>   if ($user) {
>      $user =~ s/^([^@]+).*/$1/;   # Strip the realm
>      &main::log($main::LOG_DEBUG,"\t[anonymous.pl $eaptype] Username
> $user added to reply");
>      $rp->add_attr('Class', "Inner-Auth=$user");
>   } else {
>      &main::log($main::LOG_DEBUG,"\t[anonymous.pl $eaptype] Warning:
> could not determine username");
>   }
> }
>
>
> - -------------------HANDLERS:
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=0>
>
>    <AuthBy FILE>
>                 EAPType TTLS, PEAP
> 		.
> 		.
>                 EAPAnonymous %u
> 		#EAPAnonymous %0
>         </AuthBy>
> </Handler>
>
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=1>
>         RewriteUsername s/^([^@]+).*/$1/
>         RewriteUsername s/^\s*//
>         PreAuthHook file:"%D/hooks/anonymous.pl"
>         <AuthBy FILE>
> 		.
> 		.
>         </AuthBy>
> </Handler>
>
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>      AuthByPolicy ContinueWhileReject
>      PreAuthHook file:"%D/hooks/anonymous.pl"
>      <AuthBy FILE>
>              RewriteUsername s/^([^@]+).*/$1/
>              RewriteUsername s/^\s*//
>              RewriteUsername s/\s*$//
>              Filename %D/users-wlan-peap-local
>              EAPType MSCHAP-V2
>      </AuthBy>
>      # rewrite for username too find -not-default- account in users-file
>      RewriteUsername s/^([^@]+).*/$1/
>      RewriteUsername s/^\s*//
>      RewriteUsername s/\s*$//
>      <AuthBy FILE>
>                 Filename %D/users-wlan-peap
>                 NoEAP
>         </AuthBy>
> </Handler>
>
> - --
>
> Groeten,
>
> Roel H.Hoek, Netwerkbeheer
> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> Universiteit Twente,  Postbus 217,  7500 AE  Enschede
> kmr SP 422, telefoon: 053 - 489 4598,  fax: 053 - 489 2383
> e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
> IM-Jabber: rhhoek at gmail.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFzD/cJwlRSGnYBcYRAmyfAJ91DCk9wEFbWs7+RXh12U42QZR33QCeIGe6
> 0inpNbr1DLclKrXF+SsvdJc=
> =+JRP
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list