[RADIATOR] blank outer identity - best practice

Hugh Irvine hugh at open.com.au
Wed Dec 16 16:16:08 CST 2009 

Hello Heikki -

The reason we use an AuthBy FILE with an "anonymous" user with a password that will never match is to make sure that if this clause receives a non-EAP request, it will always reject.

Ie.

# anonymous to never match

anonymous  Encrypted-Password  _this_will_never_match_anything_


There are numerous EAP example configuration files in the "goodies" directory, and see also section 24 in the manual ("doc/ref.pdf").

regards

Hugh



On 17 Dec 2009, at 00:31, Heikki Vatiainen wrote:

> On 12/12/2009 01:09 AM, Hugh Irvine wrote:
> 
>> I'm not sure I understand the question, as the outer identity (I'm assuming you mean User-Name?) doesn't really matter.
>> 
>> For EAP the outer Handler is only responsible for setting up the tunnel - it doesn't do any username checking.
>> 
>> You would typically have different Handlers, with the outer Handler just using an AuthBy FILE clause:
> 
> Maybe the EAP setup could be clarified a little more, especially to get
> it to the list archive, or maybe even to the FAQ.
> 
> You mention that the outer handler does not check username and it can
> use an AuthBy FILE. Is AuthBy FILE chosen because it is very simple to
> configure? That would be my guess. As far as I can tell, there is
> nothing special in AuthBy FILE why it should be used as the tunnel endpoint.
> 
> What we have been doing lately is this:
> <AuthBy FILE>
>   Filename /dev/null
>   EAP_* directives
>   AutoMPPEKeys
>   ....
> </AuthBy>
> 
> In other words, there does not seem to be need for a placeholder and the
> even the file can be empty.
> 
> Is this for some reason a bad idea? Is the file containing a placeholder
> usually mentioned because of backwards compatibility issues?
> 
> At least in the current versions of Radiator it looks like the file in
> Filename is never even opened if the AuthBy only takes care of setting
> up TLS tunnels.
> 
>> <Handler TunnelledByPEAP = 1>
>> 	.....
>> </Handler>
>> 
>> <Handler TunnelledByTTLS = 1>
>> 	.....
>> </Handler>
>> 
>> <Handler>
>> 	<AuthBy FILE>
>> 		.....
>> 		Filename %D/anonymous.user
>> 	</AuthBy>
>> </Handler>
>> 
>> 
>> File "%D/anonymous.user" would just contain something like this:
>> 
>> 
>> # anonymous.user
>> # this is just a placeholder
>> 
>> anonymous		Encrypted-Password = _this_will_never_match_anything_
> 
> 
> -- 
> Heikki Vatiainen, Arch Red Oy
> +358 44 087 6547



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list