[RADIATOR] Handler matching EAPTTLS

Barry Ard barry.ard at ualberta.ca
Mon Sep 29 14:57:50 CDT 2008


I do that now using Client-Identifier as an additional check item, like:

<Handler TunnelledByPEAP=1 Client-Identifier=ResWireless>
...

Pascal Beauregard wrote:
> Hi,
>  
> I have a question about EAP-TTLS handlers, is it possible to specify 
> multiple check items for a  handler with a check item TunnelledByTTLS=1. 
>  
> I am asking that because according to my logs, Radiator seems to match 
> my Handler with the check items TunelledByTTLS automatically for the 
> inner authentication. I want to be able to have more than one Handler 
> for my EAP-TTLS inner authentications and I want to discriminate those 
> handlers based on other check items.
>  
>  
> <Handler TunnelledByTTLS=1>
>         MaxSessions 2
>         WtmpFileName %L/wtmp
>         AcctLogFileName %L/accounting
>  
>         <AuthBy LDAP2>
>                 Host ldapr1.usherbrooke.ca
>                 AuthDN uid=lectureparradius,ou=autres,dc=usherbrooke,dc=ca
>                 AuthPassword XXXXXXX
>                 BaseDN dc=usherbrooke,dc=ca
>                 Scope sub
>                 ServerChecksPassword
>                 UseTLS
>                 SSLVerify none
>                 SSLCAFile /usr/share/ssl/certs/ca-bundle.crt
>                 Debug 255
>         </AuthBy>
> </Handler>
>  
>  
> # SSID - AERIUS_EMPLOYE
> # ===---------------------------------------------
> <Handler Colubris-AVPAIR = "ssid=AeriusEmploye" >
>         WtmpFileName %L/wtmp
>         AcctLogFileName %L/accounting
>         <AuthBy DBFILE>
>                 Filename /etc/radiator/eapusers/eapanonymoususer.db
>                 #type de EAP supporte
>                 EAPType TTLS,PEAP
>                 #l'emplacemenet du certificat CA
>                 EAPTLS_CAFile 
> /etc/radiator/SelfCert/radiusCA.usherbrooke.ca.pem
>                 #l'emplacement du certificat du serveur
>                 EAPTLS_CertificateFile 
> /etc/radiator/SelfCert/radius2.usherbrooke.ca.pem
>                 EAPTLS_CertificateType PEM
>                 #l'emplacement du fichier de cle privee du serveur
>                 EAPTLS_PrivateKeyFile 
> /etc/radiator/SelfCert/radius2.usherbrooke.ca.key
>                 EAPTLS_PrivateKeyPassword XXXXXXX
>                 EAPTLS_MaxFragmentSize 1000
>                 EAPTLS_PEAPBrokenV1Label
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>         </AuthBy>
>         AuthLog Defaut
> </Handler>
>  
>  
>  
> I have put a chunk of a debug log showing the a user authenticating 
> using the EAP-TTLS method.
>  
> *** Received from 10.40.2.34 port 32768 ....
> Code:       Access-Request
> Identifier: 46
> Authentic:  ;<15><143>=<21><193><253><177>4<7>-jEN<194>H
> Attributes:
>         Acct-Multi-Session-Id = 
> "00-03-52-F0-9E-C1-00-18-DE-DC-11-CD-48-E0-DC-EE-00-05-29-EF"
>         Acct-Session-Id = "92ff8887-000001aa"
>         NAS-Port = 427
>         NAS-Port-Type = Wireless-IEEE-802-11
>         NAS-Identifier = "R024-02267"
>         NAS-IP-Address = 10.40.2.34
>         Framed-MTU = 1496
>         User-Name = "anonymous"
>         Calling-Station-Id = "00-18-DE-DC-11-CD"
>         Called-Station-Id = "00-03-52-F0-9E-C1"
>         Service-Type = Framed-User
>         EAP-Message = <2><20><0><128><21><0><23><3><1><0> 
> <214>A3z<252>w[<238><162>2<143><245><241>hC<168><231><24>}<218><220><158><205><245>&<233><233><13>Bz<253><135><23><3><1><0>P<221><224><148>!<31><20><148><217><165>d<252><164>t<22><244>1<137>F<237>1R><199>r<9><144><143><144>M<150><202>{<222><10><171>y<9>^p`<155><142><244><248>R=<194>G<216>D<205><161><156><159>7<13><150><212><149>#uJ<166>q<153><194><163>6f<148>'T<151>]<29>f|<229><18><197>
>         Colubris-AVPAIR = "ssid=AeriusEmploye"
>         Colubris-AVPAIR = "incoming-vlan-id=1101"
>         Colubris-AVPAIR = "group=A7-AERIUS-VOIP"
>         Colubris-AVPAIR = "phytype=IEEE802dot11g"
>         Message-Authenticator = 
> W<20><239><187><26><146><17><216>1f<142>$<184><225>\<30>
>  
> Mon Sep 29 15:07:31 2008: DEBUG: Handling request with Handler 
> 'Colubris-AVPAIR = "ssid=AeriusEmploye" '
> Mon Sep 29 15:07:31 2008: DEBUG:  Deleting session for anonymous, 
> 10.40.2.34, 427
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with EAP: code 2, 20, 128, 21
> Mon Sep 29 15:07:31 2008: DEBUG: Response type 21
> Mon Sep 29 15:07:31 2008: DEBUG: EAP TTLS data, 3, 20, 19
> Mon Sep 29 15:07:31 2008: DEBUG: TTLS Tunnelled Diameter Packet dump:
> *Code:       UNDEF
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
>         User-Name = "beap1910"
>         User-Password 
> = XXXXXXX<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>*
> ** 
> *Mon Sep 29 15:07:31 2008: DEBUG: EAP TTLS inner authentication 
> request for beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: Handling request with Handler 
> 'TunnelledByTTLS=1'
> *Mon Sep 29 15:07:31 2008: DEBUG:  Deleting session for beap1910, 
> 10.40.2.34,
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthGROUP:
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Sep 29 15:07:31 2008: INFO: Connecting to ldapr1.usherbrooke.ca:389
> Mon Sep 29 15:07:31 2008: DEBUG: Starting TLS
> Mon Sep 29 15:07:31 2008: INFO: StartTLS negotiated with cipher mode 
> AES256-SHA
> Mon Sep 29 15:07:31 2008: INFO: Attempting to bind to LDAP server 
> ldapr1.usherbrooke.ca:389
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got result for 
> uid=beap1910,ou=personnes,dc=usherbrooke,dc=ca
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got objectClass: udesPerson 
> posixAccount shadowAccount inetLocalMailRecipient
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got uid: beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got uidNumber: 362344
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got gidNumber: 362344
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got homeDirectory: /home/beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got givenName: Pascal
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got sn: Beauregard
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got cn: Pascal Beauregard
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesGender: M
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got personalTitle: M.
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeNumber: 629709
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentNumber: 92736026
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentStatus: 0
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesCIP: beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentExpired: 
> 200412110556Z
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailLocalAddress: 
> 629709 at USherbrooke.ca <mailto:629709 at USherbrooke.ca> 
> Pascal.Beauregard at USherbrooke.ca 
> <mailto:Pascal.Beauregard at USherbrooke.ca> P.Beauregard at USherbrooke.ca 
> <mailto:P.Beauregard at USherbrooke.ca> 92736026 at USherbrooke.ca 
> <mailto:92736026 at USherbrooke.ca>
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got userPassword: 
> {SSHA}Fh2b0yDINZ3VlQQ6HwtxGVa7OEd6b3ZsY29uZg==
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesPersonnalMailAddress: 
> Pascal.Beauregard at USherbrooke.ca 
> <mailto:Pascal.Beauregard at USherbrooke.ca> P.Beauregard at USherbrooke.ca 
> <mailto:P.Beauregard at USherbrooke.ca>
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailHost: 
> courriel.usherbrooke.ca
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailRoutingAddress: 
> beap1910 at livraison.locale <mailto:beap1910 at livraison.locale>
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesActiveMailbox: 
> @courriel.usherbrooke.ca:beap1910 at livraison.locale
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mail: 
> Pascal.Beauregard at USherbrooke.ca <mailto:Pascal.Beauregard at USherbrooke.ca>
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got ou: SERVICE DES TECHNOLOGIES 
> DE L'INFORMATION (emploi)
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got departmentNumber: 3900
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentDirectoryStatus: 0
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesSystemAccess: imapCourriel
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got loginShell: /bin/bash
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeDirectoryStatus: 1
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got facsimileTelephoneNumber: 
> 819-821-8004
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got roomNumber: A1-0144-0
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got telephoneNumber: 
> 819-821-8000 67770
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got title: Analyste des réseaux 
> de télécommunications
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeStatus: 1
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesOtherTelephoneNumber: 
> 819-821-7770
> Mon Sep 29 15:07:31 2008: DEBUG: Radius::AuthLDAP2 looks for match 
> with beap1910 [beap1910]
> Mon Sep 29 15:07:31 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : beap1910 
> [beap1910]
> Mon Sep 29 15:07:31 2008: DEBUG: AuthBy GROUP result: ACCEPT,
> Mon Sep 29 15:07:31 2008: DEBUG: Access accepted for beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: Returned TTLS tunnelled Diameter 
> Packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <245>X<211><28><25><244><4><220><28>^<201><167><192><145>y<25>
> Attributes:
>  
> Mon Sep 29 15:07:31 2008: DEBUG: EAP result: 0, EAP TTLS inner 
> authentication redespatched to a Handler
> Mon Sep 29 15:07:31 2008: DEBUG: AuthBy DBFILE result: ACCEPT, EAP 
> TTLS inner authentication redespatched to a Handler
> Mon Sep 29 15:07:31 2008: DEBUG: Access accepted for anonymous
> Mon Sep 29 15:07:31 2008: DEBUG: Packet dump:
>  
> Pascal Beauregard
> Analyste en télécommunications
> Université de Sherbrooke
> (819)821-7770
> www.usherbrooke.ca <http://www.usherbrooke.ca/>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
=================================================================
Barry Ard                                   barry.ard at ualberta.ca
Network Operations
Academic Information and Communication Technologies (AICT)
University of Alberta
Edmonton, Alberta   Canada

This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and/or privileged
information.  Please contact us immediately if you are not the intended
recipient of this communication.  If you are not the intended recipient
of this communication, do not copy, distribute, or take action on it.
Any communication received in error, or subsequent reply, should be
deleted or destroyed.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080929/ce712b95/attachment-0001.html>


More information about the radiator mailing list