(RADIATOR) EAPTLS_NoCheckId and AuthBy FILE check

Mike McCauley mikem at open.com.au
Wed Feb 27 01:13:22 CST 2008 

Hello MArkus,

On Wednesday 27 February 2008 06:43, Markus Moeller wrote:
> Hugh,
>
> find attached two trace files one with the other without EAPTLS-NoCheckId.
>
> >From looking at the source I see the following:
>
> If (!EAPTLS-NoCheckId) {
>
>           Compare Subject with username, username_nodomain, identity,
> identity_nodomain.
>
>            If match check database (e.g. FILE)
>
> }
>
>
> I would have thought the following would make sense too:
>
> If (!EAPTLS-NoCheckId) {
>
>           Compare Subject with username, username_nodomain, identity,
> identity_nodomain till one matches.
>
>            If match check matched id in database (e.g. FILE)
>
> } else {
>
>            Check username, username_nodomain, identity, identity_nodomain
> in database (e.g. FILE) till one matches or reject
>
> }

We disagree. The theory is that if EAPTLS-NoCheckId is set, then all the 
client needs is a certificate that is valid when checked against the issuing 
CA.

Cheers.

>
>
>
> Thank you
> Markus
>
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Monday, February 25, 2008 11:52 PM
> Subject: Re: (RADIATOR) EAPTLS_NoCheckId and AuthBy FILE check
>
> > Hello Markus -
> >
> > Could you please send us a trace 4 debug showing what is happening?
> >
> > regards
> >
> > Hugh
> >
> > On 26 Feb 2008, at 09:30, Markus Moeller wrote:
> >> I have a setup for EAPTLS authentication as follows
> >>
> >> <AuthBy FILE>
> >>         Identifier EapTLSTest
> >>         Filename %D/ADUsers
> >>
> >>         EAPType TLS
> >>         EAPTLS_CAFile /etc/ssl/certs/allcerts.pem
> >>         EAPTLS_CAPath /etc/ssl/certs
> >>         EAPTLS_CertificateFile %D/servercert.pem
> >>         EAPTLS_CertificateType PEM
> >>         EAPTLS_PrivateKeyFile %D/serverkey.pem
> >>         EAPTLS_PrivateKeyPassword password
> >>         EAPTLS_MaxFragmentSize 1000
> >>         #EAPTLS_CRLCheck
> >>         #EAPTLS_CRLFile %D/certificates/crl.pem
> >>         #EAPTLS_CRLFile %D/certificates/revocations.pem
> >>         #EAPTLSRewriteCertificateCommonName s/testUsemikem/
> >>         EAPTLS_NoCheckId
> >>         AutoMPPEKeys
> >> </AuthBy>
> >> #
> >> <Handler Device-Class=WlanTest>
> >>         # Mark request as Radius request if not already set by TACACS+
> >>         AddToRequestIfNotExist Request-Protocol=EapTLS
> >>         AuthByPolicy ContinueUntilReject
> >>         AuthBy EapTLSTest
> >>         AuthLog LogEapTLSAuthentication
> >>         AuthLog SysLogEapTLSAuthentication
> >>         AcctLogFileName %L/detail-%d-%v-%Y.log
> >> </Handler>
> >>
> >>
> >> with ADUser
> >>
> >> DEFAULT User-LockedOut=No
> >>
> >>
> >> When I receive a EAPTLS request I don't see any check against the 
> >> ADUser entries. But when I disable EAPTLS_NoCheckId(e.g. comment it 
> >> with #) it seems to check against ADUser. Is this the correct  behaviour
> >> ?
> >>
> >> Why does EAPTLS_NoCheckId the use of ADUser ?
> >>
> >> Thank you
> >> Markus
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> > Have you checked the RadiusExpert wiki:
> > http://www.open.com.au/wiki/index.php/Main_Page
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list