[RADIATOR] blank outer identity - best practice
Alexander Hartmaier
alexander.hartmaier at t-systems.at
Thu Dec 17 04:11:37 CST 2009
The handler already makes sure it's an EAP request by checking
EAP-Message=/.+/
--
Best regards, Alex
Am Mittwoch, den 16.12.2009, 23:10 +0100 schrieb Hugh Irvine:
> Hello again Alexander -
>
> You should not use DEFAULT, as it will match any request, and this is probably not what you want.
>
> Ie. if this clause receives a non-EAP request, you don't want it doing the wrong thing.
>
> regards
>
> Hugh
>
>
> On 17 Dec 2009, at 01:21, Alexander Hartmaier wrote:
>
> > I tried using AuthBy INTERNAL instead of FILE without success so I still
> > use AuthBy FILE with a single 'anonymous' entry.
> > Optionally you could use DEFAULT as username.
> >
> > --
> > Best regards, Alex
> >
> >
> > Am Mittwoch, den 16.12.2009, 14:31 +0100 schrieb Heikki Vatiainen:
> >> On 12/12/2009 01:09 AM, Hugh Irvine wrote:
> >>
> >>> I'm not sure I understand the question, as the outer identity (I'm assuming you mean User-Name?) doesn't really matter.
> >>>
> >>> For EAP the outer Handler is only responsible for setting up the tunnel - it doesn't do any username checking.
> >>>
> >>> You would typically have different Handlers, with the outer Handler just using an AuthBy FILE clause:
> >>
> >> Maybe the EAP setup could be clarified a little more, especially to get
> >> it to the list archive, or maybe even to the FAQ.
> >>
> >> You mention that the outer handler does not check username and it can
> >> use an AuthBy FILE. Is AuthBy FILE chosen because it is very simple to
> >> configure? That would be my guess. As far as I can tell, there is
> >> nothing special in AuthBy FILE why it should be used as the tunnel endpoint.
> >>
> >> What we have been doing lately is this:
> >> <AuthBy FILE>
> >> Filename /dev/null
> >> EAP_* directives
> >> AutoMPPEKeys
> >> ....
> >> </AuthBy>
> >>
> >> In other words, there does not seem to be need for a placeholder and the
> >> even the file can be empty.
> >>
> >> Is this for some reason a bad idea? Is the file containing a placeholder
> >> usually mentioned because of backwards compatibility issues?
> >>
> >> At least in the current versions of Radiator it looks like the file in
> >> Filename is never even opened if the AuthBy only takes care of setting
> >> up TLS tunnels.
> >>
> >>> <Handler TunnelledByPEAP = 1>
> >>> .....
> >>> </Handler>
> >>>
> >>> <Handler TunnelledByTTLS = 1>
> >>> .....
> >>> </Handler>
> >>>
> >>> <Handler>
> >>> <AuthBy FILE>
> >>> .....
> >>> Filename %D/anonymous.user
> >>> </AuthBy>
> >>> </Handler>
> >>>
> >>>
> >>> File "%D/anonymous.user" would just contain something like this:
> >>>
> >>>
> >>> # anonymous.user
> >>> # this is just a placeholder
> >>>
> >>> anonymous Encrypted-Password = _this_will_never_match_anything_
> >>
> >>
> >
> >
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> > Handelsgericht Wien, FN 79340b
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > Notice: This e-mail contains information that is confidential and may be privileged.
> > If you are not the intended recipient, please notify the sender and then
> > delete this e-mail immediately.
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
More information about the radiator
mailing list