[RADIATOR] Handler matching EAPTTLS

Pascal Beauregard Pascal.Beauregard at USherbrooke.ca
Mon Sep 29 14:39:28 CDT 2008 

Hi,
 
I have a question about EAP-TTLS handlers, is it possible to specify
multiple check items for a  handler with a check item TunnelledByTTLS=1. 
 
I am asking that because according to my logs, Radiator seems to match my
Handler with the check items TunelledByTTLS automatically for the inner
authentication. I want to be able to have more than one Handler for my
EAP-TTLS inner authentications and I want to discriminate those handlers
based on other check items. 
 
 
<Handler TunnelledByTTLS=1>
        MaxSessions 2
        WtmpFileName %L/wtmp
        AcctLogFileName %L/accounting
 
        <AuthBy LDAP2>
                Host ldapr1.usherbrooke.ca
                AuthDN uid=lectureparradius,ou=autres,dc=usherbrooke,dc=ca
                AuthPassword XXXXXXX
                BaseDN dc=usherbrooke,dc=ca
                Scope sub
                ServerChecksPassword
                UseTLS
                SSLVerify none
                SSLCAFile /usr/share/ssl/certs/ca-bundle.crt
                Debug 255
        </AuthBy>
</Handler>
 
 
# SSID - AERIUS_EMPLOYE
# ===---------------------------------------------
<Handler Colubris-AVPAIR = "ssid=AeriusEmploye" >
        WtmpFileName %L/wtmp
        AcctLogFileName %L/accounting
        <AuthBy DBFILE>
                Filename /etc/radiator/eapusers/eapanonymoususer.db
                #type de EAP supporte
                EAPType TTLS,PEAP
                #l'emplacemenet du certificat CA
                EAPTLS_CAFile
/etc/radiator/SelfCert/radiusCA.usherbrooke.ca.pem
                #l'emplacement du certificat du serveur
                EAPTLS_CertificateFile
/etc/radiator/SelfCert/radius2.usherbrooke.ca.pem
                EAPTLS_CertificateType PEM
                #l'emplacement du fichier de cle privee du serveur
                EAPTLS_PrivateKeyFile
/etc/radiator/SelfCert/radius2.usherbrooke.ca.key
                EAPTLS_PrivateKeyPassword XXXXXXX
                EAPTLS_MaxFragmentSize 1000
                EAPTLS_PEAPBrokenV1Label
                AutoMPPEKeys
                SSLeayTrace 4
        </AuthBy>
        AuthLog Defaut
</Handler>
 
 
 
I have put a chunk of a debug log showing the a user authenticating using
the EAP-TTLS method.
 
*** Received from 10.40.2.34 port 32768 ....
Code:       Access-Request
Identifier: 46
Authentic:  ;<15><143>=<21><193><253><177>4<7>-jEN<194>H
Attributes:
        Acct-Multi-Session-Id =
"00-03-52-F0-9E-C1-00-18-DE-DC-11-CD-48-E0-DC-EE-00-05-29-EF"
        Acct-Session-Id = "92ff8887-000001aa"
        NAS-Port = 427
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-Identifier = "R024-02267"
        NAS-IP-Address = 10.40.2.34
        Framed-MTU = 1496
        User-Name = "anonymous"
        Calling-Station-Id = "00-18-DE-DC-11-CD"
        Called-Station-Id = "00-03-52-F0-9E-C1"
        Service-Type = Framed-User
        EAP-Message = <2><20><0><128><21><0><23><3><1><0>
<214>A3z<252>w[<238><162>2<143><245><241>hC<168><231><24>}<218><220><158><20
5><245>&<233><233><13>Bz<253><135><23><3><1><0>P<221><224><148>!<31><20><148
><217><165>d<252><164>t<22><244>1<137>F<237>1R><199>r<9><144><143><144>M<150
><202>{<222><10><171>y<9>^p`<155><142><244><248>R=<194>G<216>D<205><161><156
><159>7<13><150><212><149>#uJ<166>q<153><194><163>6f<148>'T<151>]<29>f|<229>
<18><197>
        Colubris-AVPAIR = "ssid=AeriusEmploye"
        Colubris-AVPAIR = "incoming-vlan-id=1101"
        Colubris-AVPAIR = "group=A7-AERIUS-VOIP"
        Colubris-AVPAIR = "phytype=IEEE802dot11g"
        Message-Authenticator =
W<20><239><187><26><146><17><216>1f<142>$<184><225>\<30>
 
Mon Sep 29 15:07:31 2008: DEBUG: Handling request with Handler
'Colubris-AVPAIR = "ssid=AeriusEmploye" '
Mon Sep 29 15:07:31 2008: DEBUG:  Deleting session for anonymous,
10.40.2.34, 427
Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthDBFILE: 
Mon Sep 29 15:07:31 2008: DEBUG: Handling with EAP: code 2, 20, 128, 21
Mon Sep 29 15:07:31 2008: DEBUG: Response type 21
Mon Sep 29 15:07:31 2008: DEBUG: EAP TTLS data, 3, 20, 19
Mon Sep 29 15:07:31 2008: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       UNDEF
Identifier: UNDEF
Authentic:  UNDEF
Attributes:
        User-Name = "beap1910"
        User-Password =
XXXXXXX<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
 
Mon Sep 29 15:07:31 2008: DEBUG: EAP TTLS inner authentication request for
beap1910
Mon Sep 29 15:07:31 2008: DEBUG: Handling request with Handler
'TunnelledByTTLS=1'
Mon Sep 29 15:07:31 2008: DEBUG:  Deleting session for beap1910, 10.40.2.34,

Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthGROUP: 
Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthLDAP2: 
Mon Sep 29 15:07:31 2008: INFO: Connecting to ldapr1.usherbrooke.ca:389
Mon Sep 29 15:07:31 2008: DEBUG: Starting TLS
Mon Sep 29 15:07:31 2008: INFO: StartTLS negotiated with cipher mode
AES256-SHA
Mon Sep 29 15:07:31 2008: INFO: Attempting to bind to LDAP server
ldapr1.usherbrooke.ca:389
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got result for
uid=beap1910,ou=personnes,dc=usherbrooke,dc=ca
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got objectClass: udesPerson
posixAccount shadowAccount inetLocalMailRecipient
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got uid: beap1910
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got uidNumber: 362344
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got gidNumber: 362344
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got homeDirectory: /home/beap1910
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got givenName: Pascal
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got sn: Beauregard
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got cn: Pascal Beauregard
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesGender: M
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got personalTitle: M.
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeNumber: 629709
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentNumber: 92736026
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentStatus: 0
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesCIP: beap1910
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentExpired: 200412110556Z
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailLocalAddress:
629709 at USherbrooke.ca Pascal.Beauregard at USherbrooke.ca
P.Beauregard at USherbrooke.ca 92736026 at USherbrooke.ca
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got userPassword:
{SSHA}Fh2b0yDINZ3VlQQ6HwtxGVa7OEd6b3ZsY29uZg==
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesPersonnalMailAddress:
Pascal.Beauregard at USherbrooke.ca P.Beauregard at USherbrooke.ca
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailHost: courriel.usherbrooke.ca
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailRoutingAddress:
beap1910 at livraison.locale
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesActiveMailbox:
@courriel.usherbrooke.ca:beap1910 at livraison.locale
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mail:
Pascal.Beauregard at USherbrooke.ca
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got ou: SERVICE DES TECHNOLOGIES DE
L'INFORMATION (emploi)
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got departmentNumber: 3900
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentDirectoryStatus: 0
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesSystemAccess: imapCourriel
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got loginShell: /bin/bash
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeDirectoryStatus: 1
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got facsimileTelephoneNumber:
819-821-8004
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got roomNumber: A1-0144-0
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got telephoneNumber: 819-821-8000
67770
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got title: Analyste des réseaux de
télécommunications
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeStatus: 1
Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesOtherTelephoneNumber:
819-821-7770
Mon Sep 29 15:07:31 2008: DEBUG: Radius::AuthLDAP2 looks for match with
beap1910 [beap1910]
Mon Sep 29 15:07:31 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : beap1910
[beap1910]
Mon Sep 29 15:07:31 2008: DEBUG: AuthBy GROUP result: ACCEPT, 
Mon Sep 29 15:07:31 2008: DEBUG: Access accepted for beap1910
Mon Sep 29 15:07:31 2008: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <245>X<211><28><25><244><4><220><28>^<201><167><192><145>y<25>
Attributes:
 
Mon Sep 29 15:07:31 2008: DEBUG: EAP result: 0, EAP TTLS inner
authentication redespatched to a Handler
Mon Sep 29 15:07:31 2008: DEBUG: AuthBy DBFILE result: ACCEPT, EAP TTLS
inner authentication redespatched to a Handler
Mon Sep 29 15:07:31 2008: DEBUG: Access accepted for anonymous
Mon Sep 29 15:07:31 2008: DEBUG: Packet dump:
 
Pascal Beauregard
Analyste en télécommunications
Université de Sherbrooke
(819)821-7770
www.usherbrooke.ca <http://www.usherbrooke.ca/> 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080929/b6d04823/attachment-0001.html>

More information about the radiator mailing list