[RADIATOR] Separating handler based on called-station-id
Zod Mansour
zod at reachlocal.com
Thu Dec 10 17:19:16 CST 2009
I would like to change my radius.cfg to handle auth based on the
called-station-id.
At the present its all handled in one auth and its working well:
LogDir /var/log/radius
DbDir /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
<Client 10.10.19.35>
Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ
DupInterval 10
Identifier rlwlc1
</Client>
<Handler Client-Identifier=rlwlc1>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy LDAP2>
#RewriteUsername s/^CORP\\([^@]+).*/$1/
Debug 255
EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
EAPTLS_CAFile %D/cert/cacert.pem
EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
EAPTLS_PrivateKeyFile %D/cert/radius.key
EAPTLS_CertificateType PEM
ServerChecksPassword
NoDefault
Host localhost
Port 389
BaseDN dc=domian,dc=com
# see /etc/openldap/slapd.conf
AuthDN cn=Manager, dc=domain, dc=com
AuthPassword xxxxxxxxxx
UsernameAttr uid
PasswordAttr userPassword
AutoMPPEKeys
StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-
Group- ID, Filter-Id, cisco-avpair
AddToReply Service-Type = Framed-User, Framed-Protocol =
PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
</AuthBy>
</Handler>
I am adding called-station-id
BUT THIS ONE DOES NOT WORK:
#Foreground
#LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
#RewriteUsername s/(.*)\\(.*)/$1/
# Listen for RADIUS requests from the Cisco WLAN controller @
10.10.19.35
<Client 10.10.19.35>
Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ
DupInterval 10
# Identifier rlwlc1
</Client>
<Handler Called-Station-Id = /rlwireless/>
#<Handler TunnelledByTTLS=1>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy LDAP2>
#RewriteUsername s/^CORP\\([^@]+).*/$1/
Debug 255
EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
EAPTLS_CAFile %D/cert/cacert.pem
EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
EAPTLS_PrivateKeyFile %D/cert/radius.key
EAPTLS_CertificateType PEM
ServerChecksPassword
NoDefault
Host localhost
Port 389
BaseDN dc=domainl,dc=com
# see /etc/openldap/slapd.conf
AuthDN cn=Manager, dc=domain, dc=com
AuthPassword xxxxxxxxxx
UsernameAttr uid
PasswordAttr userPassword
AutoMPPEKeys
AddToReply Service-Type = Framed-User, Framed-Protocol =
PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_
GROUP_ID=28
</AuthBy>
</Handler>
<Handler Called-Station-Id = /rltechops/>
<AuthBy INTERNAL>
DefaultResult Reject
</AuthBy>
</Handler>
I get that there are no inner handlers and get rejected. So where do I
setup another handler for TTLS now in the latter config?
Code: UNDEF
Identifier: UNDEF
Authentic: UNDEF
Attributes:
User-Name = "zod"
User-Password = xxxxxxxxxx<0><0><0><0><0><0><0><0>
Thu Dec 10 13:50:01 2009: DEBUG: EAP TTLS inner authentication request
for zod
Thu Dec 10 13:50:01 2009: DEBUG: EAP result: 1, No Handler for TTLS
inner authentication
Thu Dec 10 13:50:01 2009: DEBUG: AuthBy LDAP2 result: REJECT, No
Handler for TTLS inner authentication
Thu Dec 10 13:50:01 2009: INFO: Access rejected for zod: No Handler
for TTLS inner authentication
Thu Dec 10 13:50:01 2009: DEBUG: Packet dump:
More information about the radiator
mailing list