(RADIATOR) EAP TLS Configuration within AuthBy Group clause

Hugh Irvine hugh at open.com.au
Wed Mar 7 02:59:20 CST 2007


Ciao Luca -

Come va?


On 6 Mar 2007, at 05:38, Luca Bechelli wrote:

>
> Hi
>
> I need to configure EAP-TLS authentication over Radiator for some  
> users of a
> network.

Can you explain exactly what you are wanting to do?

> Unfortunately I encountered some problems:

Can you please send a copy of the configuration file and a trace 4  
debug showing what is happening?

> 1) EAP authentication seems to be "optional" respect to <AuthBy>  
> mechanism
> (the one where is the <EAPType> tag). The user gains the access by
> specifying only the credentials expected by AuthBy method, rather  
> than the
> selected EAP type. To resolve this I included the EAP  
> authentication inside
> a <AuthBy LDAP> method, configured to not pass the LDAP  
> authentication. Is
> there a simpler mechanism to force the user to perform ONLY EAP
> authentication?

There is no such thing in Radiator as ONLY EAP authentication.

EAP is really only a transport mechanism designed to carry username/ 
password credentials inside an encrypted tunnel.

Therefore, depending on where your usernames and passwords are  
stored, you will need the corresponding AuthBy clause with the  
relevant EAP parameters.

An alternative, more comprehensible configuration follows below.

> 2)I set up a <AuthBy GROUP> configuration for EAP authentications  
> and for
> getting user's attributes from LDAP server: first of all I perform EAP
> authentication, then I obtain the user's attribute from LDAP. When  
> I try to
> reauthenticate Radiator says that EAP mechanism isn't supported. My  
> question
> is: is it possible (and how) to perform EAP authentication inside  
> <AuthBy
> GROUP> configuration ?
>

In generaly you should consider EAP as a two step process - the first  
"outer" exchange is comprised of multiple radius requests and  
challenges sent back and forth between the RADIUS server and the  
client supplicant. The object of this exercise is to establish the  
encrypted tunnel. Once the encrypted tunnel has been created, the  
"inner" request is sent and it is this that contains the username and  
password to be checked by the AuthBy method.

Normally you only need a simple AuthBy FILE for the "outer"  
processing, and then you can use the AuthBy LDAP2 clause to process  
the "inner" request.

Something like this:


# Handler to process "inner" request

<Handler TunnelledByPEAP = 1>
	<AuthBy LDAP2>
		.....
	</AuthBy>
</Handler>

# Handler to process "outer" requests

<Handler>
	<AuthBy FILE>
		......
		EAPType .....
		......
	</AuthBy>
</Handler>



Please have a look at the example configuration files in "goodies/ 
eap_*.cfg".


hope that helps

regards

Hugh


> Regards,
>
> Luca Bechelli
>
> -- 
> View this message in context: http://www.nabble.com/EAP-TLS- 
> Configuration-within-AuthBy-Group-clause-tf3350784.html#a9317572
> Sent from the Radiator - General mailing list archive at Nabble.com.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list