[RADIATOR] Handler matching EAPTTLS
Hugh Irvine
hugh at open.com.au
Tue Sep 30 06:29:33 CDT 2008
Salut Pascal -
Yes it is possible to specifiy multiple check items in Handlers:
......
<Handler TunnelledByTTLS=1, blah=blah, blah=blah>
.....
</Handler>
......
regards
Hugh
On 29 Sep 2008, at 22:39, Pascal Beauregard wrote:
> Hi,
>
> I have a question about EAP-TTLS handlers, is it possible to
> specify multiple check items for a handler with a check item
> TunnelledByTTLS=1.
>
> I am asking that because according to my logs, Radiator seems to
> match my Handler with the check items TunelledByTTLS automatically
> for the inner authentication. I want to be able to have more than
> one Handler for my EAP-TTLS inner authentications and I want to
> discriminate those handlers based on other check items.
>
>
> <Handler TunnelledByTTLS=1>
> MaxSessions 2
> WtmpFileName %L/wtmp
> AcctLogFileName %L/accounting
>
> <AuthBy LDAP2>
> Host ldapr1.usherbrooke.ca
> AuthDN
> uid=lectureparradius,ou=autres,dc=usherbrooke,dc=ca
> AuthPassword XXXXXXX
> BaseDN dc=usherbrooke,dc=ca
> Scope sub
> ServerChecksPassword
> UseTLS
> SSLVerify none
> SSLCAFile /usr/share/ssl/certs/ca-bundle.crt
> Debug 255
> </AuthBy>
> </Handler>
>
>
> # SSID - AERIUS_EMPLOYE
> # ===---------------------------------------------
> <Handler Colubris-AVPAIR = "ssid=AeriusEmploye" >
> WtmpFileName %L/wtmp
> AcctLogFileName %L/accounting
> <AuthBy DBFILE>
> Filename /etc/radiator/eapusers/eapanonymoususer.db
> #type de EAP supporte
> EAPType TTLS,PEAP
> #l'emplacemenet du certificat CA
> EAPTLS_CAFile /etc/radiator/SelfCert/
> radiusCA.usherbrooke.ca.pem
> #l'emplacement du certificat du serveur
> EAPTLS_CertificateFile /etc/radiator/SelfCert/
> radius2.usherbrooke.ca.pem
> EAPTLS_CertificateType PEM
> #l'emplacement du fichier de cle privee du serveur
> EAPTLS_PrivateKeyFile /etc/radiator/SelfCert/
> radius2.usherbrooke.ca.key
> EAPTLS_PrivateKeyPassword XXXXXXX
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_PEAPBrokenV1Label
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> AuthLog Defaut
> </Handler>
>
>
>
> I have put a chunk of a debug log showing the a user authenticating
> using the EAP-TTLS method.
>
> *** Received from 10.40.2.34 port 32768 ....
> Code: Access-Request
> Identifier: 46
> Authentic: ;<15><143>=<21><193><253><177>4<7>-jEN<194>H
> Attributes:
> Acct-Multi-Session-Id = "00-03-52-F0-9E-C1-00-18-DE-DC-11-
> CD-48-E0-DC-EE-00-05-29-EF"
> Acct-Session-Id = "92ff8887-000001aa"
> NAS-Port = 427
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Identifier = "R024-02267"
> NAS-IP-Address = 10.40.2.34
> Framed-MTU = 1496
> User-Name = "anonymous"
> Calling-Station-Id = "00-18-DE-DC-11-CD"
> Called-Station-Id = "00-03-52-F0-9E-C1"
> Service-Type = Framed-User
> EAP-Message = <2><20><0><128><21><0><23><3><1><0>
> <214>A3z<252>w[<238><162>2<143><245><241>hC<168><231><24>}
> <218><220><158><205><245>&<233><233><13>Bz<253><135><23><3><1><0>P<221
> ><224><148>!
> <31><20><148><217><165>d<252><164>t<22><244>1<137>F<237>1R><199>r<9><1
> 44><143><144>M<150><202>
> {<222><10><171>y<9>^p`<155><142><244><248>R=<194>G<216>D<205><161><156
> ><159>7<13><150><212><149>#uJ<166>q<153><194><163>6f<148>'T<151>]
> <29>f|<229><18><197>
> Colubris-AVPAIR = "ssid=AeriusEmploye"
> Colubris-AVPAIR = "incoming-vlan-id=1101"
> Colubris-AVPAIR = "group=A7-AERIUS-VOIP"
> Colubris-AVPAIR = "phytype=IEEE802dot11g"
> Message-Authenticator =
> W<20><239><187><26><146><17><216>1f<142>$<184><225>\<30>
>
> Mon Sep 29 15:07:31 2008: DEBUG: Handling request with Handler
> 'Colubris-AVPAIR = "ssid=AeriusEmploye" '
> Mon Sep 29 15:07:31 2008: DEBUG: Deleting session for anonymous,
> 10.40.2.34, 427
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with EAP: code 2, 20,
> 128, 21
> Mon Sep 29 15:07:31 2008: DEBUG: Response type 21
> Mon Sep 29 15:07:31 2008: DEBUG: EAP TTLS data, 3, 20, 19
> Mon Sep 29 15:07:31 2008: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "beap1910"
> User-Password =
> XXXXXXX<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Sep 29 15:07:31 2008: DEBUG: EAP TTLS inner authentication
> request for beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: Handling request with Handler
> 'TunnelledByTTLS=1'
> Mon Sep 29 15:07:31 2008: DEBUG: Deleting session for beap1910,
> 10.40.2.34,
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthGROUP:
> Mon Sep 29 15:07:31 2008: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Sep 29 15:07:31 2008: INFO: Connecting to ldapr1.usherbrooke.ca:
> 389
> Mon Sep 29 15:07:31 2008: DEBUG: Starting TLS
> Mon Sep 29 15:07:31 2008: INFO: StartTLS negotiated with cipher
> mode AES256-SHA
> Mon Sep 29 15:07:31 2008: INFO: Attempting to bind to LDAP server
> ldapr1.usherbrooke.ca:389
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got result for
> uid=beap1910,ou=personnes,dc=usherbrooke,dc=ca
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got objectClass: udesPerson
> posixAccount shadowAccount inetLocalMailRecipient
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got uid: beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got uidNumber: 362344
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got gidNumber: 362344
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got homeDirectory: /home/
> beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got givenName: Pascal
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got sn: Beauregard
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got cn: Pascal Beauregard
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesGender: M
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got personalTitle: M.
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeNumber: 629709
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentNumber: 92736026
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentStatus: 0
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesCIP: beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesStudentExpired:
> 200412110556Z
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailLocalAddress:
> 629709 at USherbrooke.ca Pascal.Beauregard at USherbrooke.ca
> P.Beauregard at USherbrooke.ca 92736026 at USherbrooke.ca
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got userPassword: {SSHA}
> Fh2b0yDINZ3VlQQ6HwtxGVa7OEd6b3ZsY29uZg==
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesPersonnalMailAddress:
> Pascal.Beauregard at USherbrooke.ca P.Beauregard at USherbrooke.ca
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailHost:
> courriel.usherbrooke.ca
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mailRoutingAddress:
> beap1910 at livraison.locale
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesActiveMailbox:
> @courriel.usherbrooke.ca:beap1910 at livraison.locale
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got mail:
> Pascal.Beauregard at USherbrooke.ca
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got ou: SERVICE DES
> TECHNOLOGIES DE L'INFORMATION (emploi)
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got departmentNumber: 3900
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got
> udesStudentDirectoryStatus: 0
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesSystemAccess:
> imapCourriel
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got loginShell: /bin/bash
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got
> udesEmployeeDirectoryStatus: 1
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got facsimileTelephoneNumber:
> 819-821-8004
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got roomNumber: A1-0144-0
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got telephoneNumber:
> 819-821-8000 67770
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got title: Analyste des
> réseaux de télécommunications
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesEmployeeStatus: 1
> Mon Sep 29 15:07:31 2008: DEBUG: LDAP got udesOtherTelephoneNumber:
> 819-821-7770
> Mon Sep 29 15:07:31 2008: DEBUG: Radius::AuthLDAP2 looks for match
> with beap1910 [beap1910]
> Mon Sep 29 15:07:31 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> beap1910 [beap1910]
> Mon Sep 29 15:07:31 2008: DEBUG: AuthBy GROUP result: ACCEPT,
> Mon Sep 29 15:07:31 2008: DEBUG: Access accepted for beap1910
> Mon Sep 29 15:07:31 2008: DEBUG: Returned TTLS tunnelled Diameter
> Packet dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic:
> <245>X<211><28><25><244><4><220><28>^<201><167><192><145>y<25>
> Attributes:
>
> Mon Sep 29 15:07:31 2008: DEBUG: EAP result: 0, EAP TTLS inner
> authentication redespatched to a Handler
> Mon Sep 29 15:07:31 2008: DEBUG: AuthBy DBFILE result: ACCEPT, EAP
> TTLS inner authentication redespatched to a Handler
> Mon Sep 29 15:07:31 2008: DEBUG: Access accepted for anonymous
> Mon Sep 29 15:07:31 2008: DEBUG: Packet dump:
>
> Pascal Beauregard
> Analyste en télécommunications
> Université de Sherbrooke
> (819)821-7770
> www.usherbrooke.ca
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list