[RADIATOR] blank outer identity - best practice
Heikki Vatiainen
hvn at archred.com
Wed Dec 16 07:31:41 CST 2009
On 12/12/2009 01:09 AM, Hugh Irvine wrote:
> I'm not sure I understand the question, as the outer identity (I'm assuming you mean User-Name?) doesn't really matter.
>
> For EAP the outer Handler is only responsible for setting up the tunnel - it doesn't do any username checking.
>
> You would typically have different Handlers, with the outer Handler just using an AuthBy FILE clause:
Maybe the EAP setup could be clarified a little more, especially to get
it to the list archive, or maybe even to the FAQ.
You mention that the outer handler does not check username and it can
use an AuthBy FILE. Is AuthBy FILE chosen because it is very simple to
configure? That would be my guess. As far as I can tell, there is
nothing special in AuthBy FILE why it should be used as the tunnel endpoint.
What we have been doing lately is this:
<AuthBy FILE>
Filename /dev/null
EAP_* directives
AutoMPPEKeys
....
</AuthBy>
In other words, there does not seem to be need for a placeholder and the
even the file can be empty.
Is this for some reason a bad idea? Is the file containing a placeholder
usually mentioned because of backwards compatibility issues?
At least in the current versions of Radiator it looks like the file in
Filename is never even opened if the AuthBy only takes care of setting
up TLS tunnels.
> <Handler TunnelledByPEAP = 1>
> .....
> </Handler>
>
> <Handler TunnelledByTTLS = 1>
> .....
> </Handler>
>
> <Handler>
> <AuthBy FILE>
> .....
> Filename %D/anonymous.user
> </AuthBy>
> </Handler>
>
>
> File "%D/anonymous.user" would just contain something like this:
>
>
> # anonymous.user
> # this is just a placeholder
>
> anonymous Encrypted-Password = _this_will_never_match_anything_
--
Heikki Vatiainen, Arch Red Oy
+358 44 087 6547
More information about the radiator
mailing list