[RADIATOR] Separating handler based on called-station-id
Hugh Irvine
hugh at open.com.au
Fri Dec 11 16:23:40 CST 2009
Hello Zod -
You will need a PreHandlerHook in the outer AuthBy clause to add the Called-Station-Id (and Calling-Station-Id) to the inner request, then set up the inner Handlers thus:
.....
<Handler Called-Station-Id=/rltechops/, TunnelledByTTLS=1>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy LDAP2>
Debug 255
ServerChecksPassword
NoDefault
Host localhost
Port 389
BaseDN dc=domain,dc=com
# see /etc/openldap/slapd.conf
AuthDN cn=Manager, dc=domain, dc=com
AuthPassword xxxxxxxxxx
UsernameAttr uid
PasswordAttr userPassword
# SearchFilter (&(%0=%1) (departmentNumber=ipbvpn))
# AutoMPPEKeys
AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
</AuthBy>
</Handler>
<Handler Called-Station-Id=/rlwireless/, TunnelledByTTLS=1>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy LDAP2>
Debug 255
ServerChecksPassword
NoDefault
Host localhost
Port 389
BaseDN dc=domain,dc=com
# see /etc/openldap/slapd.conf
AuthDN cn=Manager, dc=domain, dc=com
AuthPassword xxxxxxxxxx
UsernameAttr uid
PasswordAttr userPassword
# SearchFilter (&(%0=%1) (departmentNumber=ipbvpn))
# AutoMPPEKeys
AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
</AuthBy>
</Handler>
<Handler>
RewriteUsername s/(.*)\\(.*)/$2/
RewriteUsername s/(.*)\@(.*)/$1/
<AuthBy FILE>
EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
EAPTLS_CAFile %D/cert/cacert.pem
EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
EAPTLS_PrivateKeyFile %D/cert/radius.key
EAPTLS_CertificateType PEM
AutoMPPEKeys
PreHandlerHook file:"%D/calling_station_hook_requests.pl"
</AuthBy>
</Handler>
See "goodies/calling_station_hook_reqeusts.pl" as an example.
regards
Hugh
On 12 Dec 2009, at 04:55, Zod Mansour wrote:
> i did figure out how to distinguish between the 2 called-station-id's.
> The problem is that they both expect to use TunneledByTTLS. I need 2 different TunneledByTTLS because I want to do 2 different ldap queries. That was the main idea behind separating the 2 called-station-id's. So the question is having 2 different called-station-id's how do you perform different ldap queries? By what I see in debug my 2 handlers, i.e. rlwireless and rltechops, are calling the same TunneledByTTLS and that is where I have to make the ldap query. So how to separate them? the eap_multi that you referred me to separates based on different types of eaps and that is not what I have here.
>
> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>
> #Foreground
> #LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 4
>
> #RewriteUsername s/(.*)\\(.*)/$1/
> # Listen for RADIUS requests from the Cisco WLAN controller @ 10.10.19.35
>
> <Client 10.10.19.35>
> Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ
> DupInterval 10
> # Identifier rlwlc1
> </Client>
>
> <Handler Called-Station-Id = /rlwireless/>
> RewriteUsername s/(.*)\\(.*)/$2/
> RewriteUsername s/(.*)\@(.*)/$1/
> <AuthBy FILE>
> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
> EAPTLS_CAFile %D/cert/cacert.pem
> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
> EAPTLS_PrivateKeyFile %D/cert/radius.key
> EAPTLS_CertificateType PEM
> AutoMPPEKeys
> </AuthBy>
> </Handler>
> <Handler Called-Station-Id = /rltechops/>
> RewriteUsername s/(.*)\\(.*)/$2/
> RewriteUsername s/(.*)\@(.*)/$1/
> <AuthBy FILE>
> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
> EAPTLS_CAFile %D/cert/cacert.pem
> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
> EAPTLS_PrivateKeyFile %D/cert/radius.key
> EAPTLS_CertificateType PEM
> AutoMPPEKeys
> # <AuthBy INTERNAL>
> # DefaultResult Reject
> # </AuthBy>
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> RewriteUsername s/(.*)\\(.*)/$2/
> RewriteUsername s/(.*)\@(.*)/$1/
> <AuthBy LDAP2>
> Debug 255
> ServerChecksPassword
> NoDefault
> Host localhost
> Port 389
> BaseDN dc=domain,dc=com
> # see /etc/openldap/slapd.conf
> AuthDN cn=Manager, dc=domain, dc=com
> AuthPassword xxxxxxxxxx
> UsernameAttr uid
> PasswordAttr userPassword
> # SearchFilter (&(%0=%1) (departmentNumber=ipbvpn))
> # AutoMPPEKeys
> AddToReply Service-Type = Framed-User, Framed-Protocol = PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
> </AuthBy>
> </Handler>
>
>
> Regards,
>
> Zod
>
> On Dec 10, 2009, at 8:34 PM, Hugh Irvine wrote:
>
>>
>> Hello Zod -
>>
>> I'm not quite sure what you are wanting to do, but for your Handler to operate correctly, the incoming request must contain:
>>
>> Called-Station-Id = ***rlwireless***
>>
>> where ***rlwireless*** is some string that contains "rlwireless".
>>
>> You don't include a trace 4 debug showing what is contained in the RADIUS request.
>>
>> In answer to your second question, please see the example in "goodies/eap_multi.cfg" (and the other eap example configuration files).
>>
>> regards
>>
>> Hugh
>>
>>
>> On 11 Dec 2009, at 10:19, Zod Mansour wrote:
>>
>>> I would like to change my radius.cfg to handle auth based on the
>>> called-station-id.
>>> At the present its all handled in one auth and its working well:
>>>
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>> # Use a low trace level in production systems. Increase
>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>> Trace 4
>>>
>>> <Client 10.10.19.35>
>>> Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ
>>> DupInterval 10
>>> Identifier rlwlc1
>>> </Client>
>>>
>>> <Handler Client-Identifier=rlwlc1>
>>> RewriteUsername s/(.*)\\(.*)/$2/
>>> RewriteUsername s/(.*)\@(.*)/$1/
>>> <AuthBy LDAP2>
>>> #RewriteUsername s/^CORP\\([^@]+).*/$1/
>>> Debug 255
>>> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
>>> EAPTLS_CAFile %D/cert/cacert.pem
>>> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
>>> EAPTLS_PrivateKeyFile %D/cert/radius.key
>>> EAPTLS_CertificateType PEM
>>> ServerChecksPassword
>>> NoDefault
>>> Host localhost
>>> Port 389
>>> BaseDN dc=domian,dc=com
>>> # see /etc/openldap/slapd.conf
>>> AuthDN cn=Manager, dc=domain, dc=com
>>> AuthPassword xxxxxxxxxx
>>> UsernameAttr uid
>>> PasswordAttr userPassword
>>> AutoMPPEKeys
>>> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-
>>> Group- ID, Filter-Id, cisco-avpair
>>> AddToReply Service-Type = Framed-User, Framed-Protocol =
>>> PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_GROUP_ID=28
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>>
>>> I am adding called-station-id
>>> BUT THIS ONE DOES NOT WORK:
>>>
>>>
>>>
>>> #Foreground
>>> #LogStdout
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>> # Use a low trace level in production systems. Increase
>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>> Trace 4
>>>
>>> #RewriteUsername s/(.*)\\(.*)/$1/
>>> # Listen for RADIUS requests from the Cisco WLAN controller @
>>> 10.10.19.35
>>>
>>> <Client 10.10.19.35>
>>> Secret sZ#1S!4k[T*<aCD~rY1^3=Z}\GHE-Wc-.K!f4'yQk9-F~(>?**-MN`qqt3hByAJ
>>> DupInterval 10
>>> # Identifier rlwlc1
>>> </Client>
>>>
>>> <Handler Called-Station-Id = /rlwireless/>
>>> #<Handler TunnelledByTTLS=1>
>>> RewriteUsername s/(.*)\\(.*)/$2/
>>> RewriteUsername s/(.*)\@(.*)/$1/
>>> <AuthBy LDAP2>
>>> #RewriteUsername s/^CORP\\([^@]+).*/$1/
>>> Debug 255
>>> EAPType PEAP,TTLS,TLS,MD5,Generic-Token,LEAP,MSCHAP-V2,FAST
>>> EAPTLS_CAFile %D/cert/cacert.pem
>>> EAPTLS_CertificateFile /etc/radiator/cert/server.key.pem
>>> EAPTLS_PrivateKeyFile %D/cert/radius.key
>>> EAPTLS_CertificateType PEM
>>> ServerChecksPassword
>>> NoDefault
>>> Host localhost
>>> Port 389
>>> BaseDN dc=domainl,dc=com
>>> # see /etc/openldap/slapd.conf
>>> AuthDN cn=Manager, dc=domain, dc=com
>>> AuthPassword xxxxxxxxxx
>>> UsernameAttr uid
>>> PasswordAttr userPassword
>>> AutoMPPEKeys
>>> AddToReply Service-Type = Framed-User, Framed-Protocol =
>>> PPP,TUNNEL_TYPE=VLAN,TUNNEL_MEDIUM_TYPE=802,TUNNEL_
>>> GROUP_ID=28
>>> </AuthBy>
>>> </Handler>
>>>
>>> <Handler Called-Station-Id = /rltechops/>
>>> <AuthBy INTERNAL>
>>> DefaultResult Reject
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>>
>>>
>>>
>>>
>>> I get that there are no inner handlers and get rejected. So where do I
>>> setup another handler for TTLS now in the latter config?
>>>
>>> Code: UNDEF
>>> Identifier: UNDEF
>>> Authentic: UNDEF
>>> Attributes:
>>> User-Name = "zod"
>>> User-Password = xxxxxxxxxx<0><0><0><0><0><0><0><0>
>>>
>>> Thu Dec 10 13:50:01 2009: DEBUG: EAP TTLS inner authentication request
>>> for zod
>>> Thu Dec 10 13:50:01 2009: DEBUG: EAP result: 1, No Handler for TTLS
>>> inner authentication
>>> Thu Dec 10 13:50:01 2009: DEBUG: AuthBy LDAP2 result: REJECT, No
>>> Handler for TTLS inner authentication
>>> Thu Dec 10 13:50:01 2009: INFO: Access rejected for zod: No Handler
>>> for TTLS inner authentication
>>> Thu Dec 10 13:50:01 2009: DEBUG: Packet dump:
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list