[RADIATOR] Separating handler based on called-station-id

Thu Dec 10 22:34:51 CST 2009

Hello Zod -

I'm not quite sure what you are wanting to do, but for your Handler to operate correctly, the incoming request must contain:

	Called-Station-Id = ***rlwireless***

where ***rlwireless*** is some string that contains "rlwireless".

You don't include a trace 4 debug showing what is contained in the RADIUS request.

In answer to your second question, please see the example in "goodies/eap_multi.cfg" (and the other eap example configuration files).

regards

Hugh

On 11 Dec 2009, at 10:19, Zod Mansour wrote:

> I would like to change my radius.cfg to handle auth based on the  
> called-station-id.
> At the present its all handled in one auth and its working well:
> 
> LogDir		/var/log/radius
> DbDir		/etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 		4
> 
> <Client 10.10.19.35>
> 	Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ	
> 	DupInterval 10
> 	Identifier rlwlc1
> </Client>
> 
> <Handler Client-Identifier=rlwlc1>
> 	RewriteUsername s/(.*)\\(.*)/$2/
> 	RewriteUsername s/(.*)\@(.*)/$1/
> 	<AuthBy LDAP2>
> 		#RewriteUsername s/^CORP\\([^@]+).*/$1/
> 		Debug 255
> 		EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
> 		EAPTLS_CAFile %D/cert/cacert.pem
> 		EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
> 		EAPTLS_PrivateKeyFile %D/cert/radius.key
> 		EAPTLS_CertificateType PEM
> 		ServerChecksPassword
> 		NoDefault
> 		Host localhost
> 		Port 389
> 		BaseDN dc=domian,dc=com
>              # see /etc/openldap/slapd.conf
> 		AuthDN          cn=Manager, dc=domain, dc=com
> 		AuthPassword    xxxxxxxxxx
> 		UsernameAttr uid
> 		PasswordAttr userPassword
> 		AutoMPPEKeys
> 		StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private- 
> Group- ID, Filter-Id, cisco-avpair
> 		AddToReply Service-Type = Framed-User, Framed-Protocol =  
> PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
> 	</AuthBy>
> </Handler>
> 
> 
> 
> I am adding called-station-id
> BUT THIS ONE DOES NOT WORK:
> 
> 
> 
> #Foreground
> #LogStdout
> LogDir		/var/log/radius
> DbDir		/etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 		4
> 
> #RewriteUsername s/(.*)\\(.*)/$1/
> # Listen for RADIUS requests from the Cisco WLAN controller @  
> 10.10.19.35
> 
> <Client 10.10.19.35>
> 	Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ	
> 	DupInterval 10
> #	Identifier rlwlc1
> </Client>
> 
> <Handler Called-Station-Id = /rlwireless/>
> #<Handler TunnelledByTTLS=1>
> 	RewriteUsername s/(.*)\\(.*)/$2/
> 	RewriteUsername s/(.*)\@(.*)/$1/
> 	<AuthBy LDAP2>
> 		#RewriteUsername s/^CORP\\([^@]+).*/$1/
> 		Debug 255
> 		EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
> 		EAPTLS_CAFile %D/cert/cacert.pem
> 		EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
> 		EAPTLS_PrivateKeyFile %D/cert/radius.key
> 		EAPTLS_CertificateType PEM
> 		ServerChecksPassword
> 		NoDefault
> 		Host localhost
> 		Port 389
> 		BaseDN dc=domainl,dc=com
>              # see /etc/openldap/slapd.conf
> 		AuthDN          cn=Manager, dc=domain, dc=com
> 		AuthPassword    xxxxxxxxxx
> 		UsernameAttr uid
> 		PasswordAttr userPassword
> 		AutoMPPEKeys
> 		AddToReply Service-Type = Framed-User, Framed-Protocol =  
> PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_
> GROUP_ID=28
> 	</AuthBy>
> </Handler>
> 
> <Handler Called-Station-Id = /rltechops/>
> 	<AuthBy INTERNAL>
> 		DefaultResult Reject
> 	</AuthBy>
> </Handler>
> 
> 
> 
> 
> 
> 
> I get that there are no inner handlers and get rejected. So where do I  
> setup another handler for TTLS now in the latter config?
> 
> Code:       UNDEF
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
> 	User-Name = "zod"
> 	User-Password = xxxxxxxxxx<0><0><0><0><0><0><0><0>
> 
> Thu Dec 10 13:50:01 2009: DEBUG: EAP TTLS inner authentication request  
> for zod
> Thu Dec 10 13:50:01 2009: DEBUG: EAP result: 1, No Handler for TTLS  
> inner authentication
> Thu Dec 10 13:50:01 2009: DEBUG: AuthBy LDAP2 result: REJECT, No  
> Handler for TTLS inner authentication
> Thu Dec 10 13:50:01 2009: INFO: Access rejected for zod: No Handler  
> for TTLS inner authentication
> Thu Dec 10 13:50:01 2009: DEBUG: Packet dump:
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.