[RADIATOR] Separating handler based on called-station-id
Zod Mansour
zod at reachlocal.com
Fri Dec 11 11:55:32 CST 2009
i did figure out how to distinguish between the 2 called-station-id's.
The problem is that they both expect to use TunneledByTTLS. I need 2
different TunneledByTTLS because I want to do 2 different ldap
queries. That was the main idea behind separating the 2 called-station-
id's. So the question is having 2 different called-station-id's how do
you perform different ldap queries? By what I see in debug my 2
handlers, i.e. rlwireless and rltechops, are calling the same
TunneledByTTLS and that is where I have to make the ldap query. So how
to separate them? the eap_multi that you referred me to separates
based on different types of eaps and that is not what I have here.
# $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
#Foreground
#LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
#RewriteUsername s/(.*)\\(.*)/$1/
# Listen for RADIUS requests from the Cisco WLAN controller @
10.10.19.35
<Client 10.10.19.35>
Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-
MN`qqt3hByAJ
DupInterval 10
# Identifier rlwlc1
</Client>
<Handler Called-Station-Id = /rlwireless/>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy FILE>
EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-
V2,FAST
EAPTLS_CAFile %D/cert/cacert.pem
EAPTLS_CertificateFile /etc/radiator/cert/
server.key.pem
EAPTLS_PrivateKeyFile %D/cert/radius.key
EAPTLS_CertificateType PEM
AutoMPPEKeys
</AuthBy>
</Handler>
<Handler Called-Station-Id = /rltechops/>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy FILE>
EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-
V2,FAST
EAPTLS_CAFile %D/cert/cacert.pem
EAPTLS_CertificateFile /etc/radiator/cert/
server.key.pem
EAPTLS_PrivateKeyFile %D/cert/radius.key
EAPTLS_CertificateType PEM
AutoMPPEKeys
# <AuthBy INTERNAL>
# DefaultResult Reject
# </AuthBy>
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy LDAP2>
Debug 255
ServerChecksPassword
NoDefault
Host localhost
Port 389
BaseDN dc=domain,dc=com
# see /etc/openldap/slapd.conf
AuthDN cn=Manager, dc=domain, dc=com
AuthPassword xxxxxxxxxx
UsernameAttr uid
PasswordAttr userPassword
# SearchFilter (&(%0=%1) (departmentNumber=ipbvpn))
# AutoMPPEKeys
AddToReply Service-Type = Framed-User, Framed-
Protocol =
PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
</AuthBy>
</Handler>
Regards,
Zod
On Dec 10, 2009, at 8:34 PM, Hugh Irvine wrote:
>
> Hello Zod -
>
> I'm not quite sure what you are wanting to do, but for your Handler
> to operate correctly, the incoming request must contain:
>
> Called-Station-Id = ***rlwireless***
>
> where ***rlwireless*** is some string that contains "rlwireless".
>
> You don't include a trace 4 debug showing what is contained in the
> RADIUS request.
>
> In answer to your second question, please see the example in
> "goodies/eap_multi.cfg" (and the other eap example configuration
> files).
>
> regards
>
> Hugh
>
>
> On 11 Dec 2009, at 10:19, Zod Mansour wrote:
>
>> I would like to change my radius.cfg to handle auth based on the
>> called-station-id.
>> At the present its all handled in one auth and its working well:
>>
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>> # Use a low trace level in production systems. Increase
>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>> Trace 4
>>
>> <Client 10.10.19.35>
>> Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-
>> MN`qqt3hByAJ
>> DupInterval 10
>> Identifier rlwlc1
>> </Client>
>>
>> <Handler Client-Identifier=rlwlc1>
>> RewriteUsername s/(.*)\\(.*)/$2/
>> RewriteUsername s/(.*)\@(.*)/$1/
>> <AuthBy LDAP2>
>> #RewriteUsername s/^CORP\\([^@]+).*/$1/
>> Debug 255
>> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
>> EAPTLS_CAFile %D/cert/cacert.pem
>> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
>> EAPTLS_PrivateKeyFile %D/cert/radius.key
>> EAPTLS_CertificateType PEM
>> ServerChecksPassword
>> NoDefault
>> Host localhost
>> Port 389
>> BaseDN dc=domian,dc=com
>> # see /etc/openldap/slapd.conf
>> AuthDN cn=Manager, dc=domain, dc=com
>> AuthPassword xxxxxxxxxx
>> UsernameAttr uid
>> PasswordAttr userPassword
>> AutoMPPEKeys
>> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-
>> Group- ID, Filter-Id, cisco-avpair
>> AddToReply Service-Type = Framed-User, Framed-Protocol =
>> PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>> </AuthBy>
>> </Handler>
>>
>>
>>
>> I am adding called-station-id
>> BUT THIS ONE DOES NOT WORK:
>>
>>
>>
>> #Foreground
>> #LogStdout
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>> # Use a low trace level in production systems. Increase
>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>> Trace 4
>>
>> #RewriteUsername s/(.*)\\(.*)/$1/
>> # Listen for RADIUS requests from the Cisco WLAN controller @
>> 10.10.19.35
>>
>> <Client 10.10.19.35>
>> Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-
>> MN`qqt3hByAJ
>> DupInterval 10
>> # Identifier rlwlc1
>> </Client>
>>
>> <Handler Called-Station-Id = /rlwireless/>
>> #<Handler TunnelledByTTLS=1>
>> RewriteUsername s/(.*)\\(.*)/$2/
>> RewriteUsername s/(.*)\@(.*)/$1/
>> <AuthBy LDAP2>
>> #RewriteUsername s/^CORP\\([^@]+).*/$1/
>> Debug 255
>> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
>> EAPTLS_CAFile %D/cert/cacert.pem
>> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
>> EAPTLS_PrivateKeyFile %D/cert/radius.key
>> EAPTLS_CertificateType PEM
>> ServerChecksPassword
>> NoDefault
>> Host localhost
>> Port 389
>> BaseDN dc=domainl,dc=com
>> # see /etc/openldap/slapd.conf
>> AuthDN cn=Manager, dc=domain, dc=com
>> AuthPassword xxxxxxxxxx
>> UsernameAttr uid
>> PasswordAttr userPassword
>> AutoMPPEKeys
>> AddToReply Service-Type = Framed-User, Framed-Protocol =
>> PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_
>> GROUP_ID=28
>> </AuthBy>
>> </Handler>
>>
>> <Handler Called-Station-Id = /rltechops/>
>> <AuthBy INTERNAL>
>> DefaultResult Reject
>> </AuthBy>
>> </Handler>
>>
>>
>>
>>
>>
>>
>> I get that there are no inner handlers and get rejected. So where
>> do I
>> setup another handler for TTLS now in the latter config?
>>
>> Code: UNDEF
>> Identifier: UNDEF
>> Authentic: UNDEF
>> Attributes:
>> User-Name = "zod"
>> User-Password = xxxxxxxxxx<0><0><0><0><0><0><0><0>
>>
>> Thu Dec 10 13:50:01 2009: DEBUG: EAP TTLS inner authentication
>> request
>> for zod
>> Thu Dec 10 13:50:01 2009: DEBUG: EAP result: 1, No Handler for TTLS
>> inner authentication
>> Thu Dec 10 13:50:01 2009: DEBUG: AuthBy LDAP2 result: REJECT, No
>> Handler for TTLS inner authentication
>> Thu Dec 10 13:50:01 2009: INFO: Access rejected for zod: No Handler
>> for TTLS inner authentication
>> Thu Dec 10 13:50:01 2009: DEBUG: Packet dump:
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
More information about the radiator
mailing list