[RADIATOR] blank outer identity - best practice

Hugh Irvine hugh at open.com.au
Wed Dec 16 16:10:45 CST 2009 

Hello again Alexander -

You should not use DEFAULT, as it will match any request, and this is probably not what you want.

Ie. if this clause receives a non-EAP request, you don't want it doing the wrong thing.

regards

Hugh


On 17 Dec 2009, at 01:21, Alexander Hartmaier wrote:

> I tried using AuthBy INTERNAL instead of FILE without success so I still
> use AuthBy FILE with a single 'anonymous' entry.
> Optionally you could use DEFAULT as username.
> 
> --
> Best regards, Alex
> 
> 
> Am Mittwoch, den 16.12.2009, 14:31 +0100 schrieb Heikki Vatiainen:
>> On 12/12/2009 01:09 AM, Hugh Irvine wrote:
>> 
>>> I'm not sure I understand the question, as the outer identity (I'm assuming you mean User-Name?) doesn't really matter.
>>> 
>>> For EAP the outer Handler is only responsible for setting up the tunnel - it doesn't do any username checking.
>>> 
>>> You would typically have different Handlers, with the outer Handler just using an AuthBy FILE clause:
>> 
>> Maybe the EAP setup could be clarified a little more, especially to get
>> it to the list archive, or maybe even to the FAQ.
>> 
>> You mention that the outer handler does not check username and it can
>> use an AuthBy FILE. Is AuthBy FILE chosen because it is very simple to
>> configure? That would be my guess. As far as I can tell, there is
>> nothing special in AuthBy FILE why it should be used as the tunnel endpoint.
>> 
>> What we have been doing lately is this:
>> <AuthBy FILE>
>>   Filename /dev/null
>>   EAP_* directives
>>   AutoMPPEKeys
>>   ....
>> </AuthBy>
>> 
>> In other words, there does not seem to be need for a placeholder and the
>> even the file can be empty.
>> 
>> Is this for some reason a bad idea? Is the file containing a placeholder
>> usually mentioned because of backwards compatibility issues?
>> 
>> At least in the current versions of Radiator it looks like the file in
>> Filename is never even opened if the AuthBy only takes care of setting
>> up TLS tunnels.
>> 
>>> <Handler TunnelledByPEAP = 1>
>>>    .....
>>> </Handler>
>>> 
>>> <Handler TunnelledByTTLS = 1>
>>>    .....
>>> </Handler>
>>> 
>>> <Handler>
>>>    <AuthBy FILE>
>>>            .....
>>>            Filename %D/anonymous.user
>>>    </AuthBy>
>>> </Handler>
>>> 
>>> 
>>> File "%D/anonymous.user" would just contain something like this:
>>> 
>>> 
>>> # anonymous.user
>>> # this is just a placeholder
>>> 
>>> anonymous           Encrypted-Password = _this_will_never_match_anything_
>> 
>> 
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list