[RADIATOR] blank outer identity - best practice
Alexander Hartmaier
alexander.hartmaier at t-systems.at
Wed Dec 16 08:21:49 CST 2009
I tried using AuthBy INTERNAL instead of FILE without success so I still
use AuthBy FILE with a single 'anonymous' entry.
Optionally you could use DEFAULT as username.
--
Best regards, Alex
Am Mittwoch, den 16.12.2009, 14:31 +0100 schrieb Heikki Vatiainen:
> On 12/12/2009 01:09 AM, Hugh Irvine wrote:
>
> > I'm not sure I understand the question, as the outer identity (I'm assuming you mean User-Name?) doesn't really matter.
> >
> > For EAP the outer Handler is only responsible for setting up the tunnel - it doesn't do any username checking.
> >
> > You would typically have different Handlers, with the outer Handler just using an AuthBy FILE clause:
>
> Maybe the EAP setup could be clarified a little more, especially to get
> it to the list archive, or maybe even to the FAQ.
>
> You mention that the outer handler does not check username and it can
> use an AuthBy FILE. Is AuthBy FILE chosen because it is very simple to
> configure? That would be my guess. As far as I can tell, there is
> nothing special in AuthBy FILE why it should be used as the tunnel endpoint.
>
> What we have been doing lately is this:
> <AuthBy FILE>
> Filename /dev/null
> EAP_* directives
> AutoMPPEKeys
> ....
> </AuthBy>
>
> In other words, there does not seem to be need for a placeholder and the
> even the file can be empty.
>
> Is this for some reason a bad idea? Is the file containing a placeholder
> usually mentioned because of backwards compatibility issues?
>
> At least in the current versions of Radiator it looks like the file in
> Filename is never even opened if the AuthBy only takes care of setting
> up TLS tunnels.
>
> > <Handler TunnelledByPEAP = 1>
> > .....
> > </Handler>
> >
> > <Handler TunnelledByTTLS = 1>
> > .....
> > </Handler>
> >
> > <Handler>
> > <AuthBy FILE>
> > .....
> > Filename %D/anonymous.user
> > </AuthBy>
> > </Handler>
> >
> >
> > File "%D/anonymous.user" would just contain something like this:
> >
> >
> > # anonymous.user
> > # this is just a placeholder
> >
> > anonymous Encrypted-Password = _this_will_never_match_anything_
>
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list