(RADIATOR) PEAP inner-username

Hugh Irvine hugh at open.com.au
Sat Feb 10 00:41:27 CST 2007


Hello Roel -

See "goodies/eap_anon_hook.pl" for an example.

regards

Hugh


On 9 Feb 2007, at 20:33, R.H.Hoek wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> We have configured our Radiator server to authenticate WLAN-users
> with TTLS and PEAP.
> To log the inner-username we use a hook that append the
> inner-username to a class-attribute.
>
> This works fine with TTLS. With PEAP we can't get the
> inner-username. What we get is the outer-username.
>
> How can we fix this?
>
> - -------------------HOOK:
> #!/usr/bin/perl
> # -*- mode: Perl -*-
> # anonymous.pl
> #
> # PreAuthHook ($request,$reply)
> #
> # Append Class-attribuut
> # with "Inner-Auth=<inner authentication user>"
> #
>
> sub {
>   my $ts = scalar localtime();
>   my $p=${$_[0]};
>   my $rp=${$_[1]};
>   my $eaptype = $p->{outerRequest}->{EAPTypeName} || 'unknown';
>   my $user;
>   if ($eaptype eq 'TTLS') {
>      $user = $p->get_attr('User-Name') || "";
>   } elsif ($eaptype eq 'PEAP') {
>      $user = $p->{EAPIdentity} || $p->getUserName();
>   }
>
>   if ($user) {
>      $user =~ s/^([^@]+).*/$1/;   # Strip the realm
>      &main::log($main::LOG_DEBUG,"\t[anonymous.pl $eaptype] Username
> $user added to reply");
>      $rp->add_attr('Class', "Inner-Auth=$user");
>   } else {
>      &main::log($main::LOG_DEBUG,"\t[anonymous.pl $eaptype] Warning:
> could not determine username");
>   }
> }
>
>
> - -------------------HANDLERS:
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=0>
>
>    <AuthBy FILE>
>                 EAPType TTLS, PEAP
> 		.
> 		.
>                 EAPAnonymous %u
> 		#EAPAnonymous %0
>         </AuthBy>
> </Handler>
>
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=1>
>         RewriteUsername s/^([^@]+).*/$1/
>         RewriteUsername s/^\s*//
>         PreAuthHook file:"%D/hooks/anonymous.pl"
>         <AuthBy FILE>
> 		.
> 		.
>         </AuthBy>
> </Handler>
>
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>      AuthByPolicy ContinueWhileReject
>      PreAuthHook file:"%D/hooks/anonymous.pl"
>      <AuthBy FILE>
>              RewriteUsername s/^([^@]+).*/$1/
>              RewriteUsername s/^\s*//
>              RewriteUsername s/\s*$//
>              Filename %D/users-wlan-peap-local
>              EAPType MSCHAP-V2
>      </AuthBy>
>      # rewrite for username too find -not-default- account in users- 
> file
>      RewriteUsername s/^([^@]+).*/$1/
>      RewriteUsername s/^\s*//
>      RewriteUsername s/\s*$//
>      <AuthBy FILE>
>                 Filename %D/users-wlan-peap
>                 NoEAP
>         </AuthBy>
> </Handler>
>
> - --
>
> Groeten,
>
> Roel H.Hoek, Netwerkbeheer
> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> Universiteit Twente,  Postbus 217,  7500 AE  Enschede
> kmr SP 422, telefoon: 053 - 489 4598,  fax: 053 - 489 2383
> e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
> IM-Jabber: rhhoek at gmail.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFzD/cJwlRSGnYBcYRAmyfAJ91DCk9wEFbWs7+RXh12U42QZR33QCeIGe6
> 0inpNbr1DLclKrXF+SsvdJc=
> =+JRP
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list