(RADIATOR) EAPTLS_NoCheckId and AuthBy FILE check
Mike McCauley
mikem at open.com.au
Wed Feb 27 01:13:22 CST 2008
Hello MArkus,
On Wednesday 27 February 2008 06:43, Markus Moeller wrote:
> Hugh,
>
> find attached two trace files one with the other without EAPTLS-NoCheckId.
>
> >From looking at the source I see the following:
>
> If (!EAPTLS-NoCheckId) {
>
> Compare Subject with username, username_nodomain, identity,
> identity_nodomain.
>
> If match check database (e.g. FILE)
>
> }
>
>
> I would have thought the following would make sense too:
>
> If (!EAPTLS-NoCheckId) {
>
> Compare Subject with username, username_nodomain, identity,
> identity_nodomain till one matches.
>
> If match check matched id in database (e.g. FILE)
>
> } else {
>
> Check username, username_nodomain, identity, identity_nodomain
> in database (e.g. FILE) till one matches or reject
>
> }
We disagree. The theory is that if EAPTLS-NoCheckId is set, then all the
client needs is a certificate that is valid when checked against the issuing
CA.
Cheers.
>
>
>
> Thank you
> Markus
>
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Monday, February 25, 2008 11:52 PM
> Subject: Re: (RADIATOR) EAPTLS_NoCheckId and AuthBy FILE check
>
> > Hello Markus -
> >
> > Could you please send us a trace 4 debug showing what is happening?
> >
> > regards
> >
> > Hugh
> >
> > On 26 Feb 2008, at 09:30, Markus Moeller wrote:
> >> I have a setup for EAPTLS authentication as follows
> >>
> >> <AuthBy FILE>
> >> Identifier EapTLSTest
> >> Filename %D/ADUsers
> >>
> >> EAPType TLS
> >> EAPTLS_CAFile /etc/ssl/certs/allcerts.pem
> >> EAPTLS_CAPath /etc/ssl/certs
> >> EAPTLS_CertificateFile %D/servercert.pem
> >> EAPTLS_CertificateType PEM
> >> EAPTLS_PrivateKeyFile %D/serverkey.pem
> >> EAPTLS_PrivateKeyPassword password
> >> EAPTLS_MaxFragmentSize 1000
> >> #EAPTLS_CRLCheck
> >> #EAPTLS_CRLFile %D/certificates/crl.pem
> >> #EAPTLS_CRLFile %D/certificates/revocations.pem
> >> #EAPTLSRewriteCertificateCommonName s/testUsemikem/
> >> EAPTLS_NoCheckId
> >> AutoMPPEKeys
> >> </AuthBy>
> >> #
> >> <Handler Device-Class=WlanTest>
> >> # Mark request as Radius request if not already set by TACACS+
> >> AddToRequestIfNotExist Request-Protocol=EapTLS
> >> AuthByPolicy ContinueUntilReject
> >> AuthBy EapTLSTest
> >> AuthLog LogEapTLSAuthentication
> >> AuthLog SysLogEapTLSAuthentication
> >> AcctLogFileName %L/detail-%d-%v-%Y.log
> >> </Handler>
> >>
> >>
> >> with ADUser
> >>
> >> DEFAULT User-LockedOut=No
> >>
> >>
> >> When I receive a EAPTLS request I don't see any check against the
> >> ADUser entries. But when I disable EAPTLS_NoCheckId(e.g. comment it
> >> with #) it seems to check against ADUser. Is this the correct behaviour
> >> ?
> >>
> >> Why does EAPTLS_NoCheckId the use of ADUser ?
> >>
> >> Thank you
> >> Markus
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> > Have you checked the RadiusExpert wiki:
> > http://www.open.com.au/wiki/index.php/Main_Page
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list