[RADIATOR] blank outer identity - best practice

Hugh Irvine hugh at open.com.au
Thu Dec 17 04:34:48 CST 2009 

Hello Alex -

Excellent.

regards

Hugh


On 17 Dec 2009, at 21:11, Alexander Hartmaier wrote:

> The handler already makes sure it's an EAP request by checking
> EAP-Message=/.+/
> 
> -- 
> Best regards, Alex
> 
> 
> Am Mittwoch, den 16.12.2009, 23:10 +0100 schrieb Hugh Irvine:
>> Hello again Alexander -
>> 
>> You should not use DEFAULT, as it will match any request, and this is probably not what you want.
>> 
>> Ie. if this clause receives a non-EAP request, you don't want it doing the wrong thing.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 17 Dec 2009, at 01:21, Alexander Hartmaier wrote:
>> 
>>> I tried using AuthBy INTERNAL instead of FILE without success so I still
>>> use AuthBy FILE with a single 'anonymous' entry.
>>> Optionally you could use DEFAULT as username.
>>> 
>>> --
>>> Best regards, Alex
>>> 
>>> 
>>> Am Mittwoch, den 16.12.2009, 14:31 +0100 schrieb Heikki Vatiainen:
>>>> On 12/12/2009 01:09 AM, Hugh Irvine wrote:
>>>> 
>>>>> I'm not sure I understand the question, as the outer identity (I'm assuming you mean User-Name?) doesn't really matter.
>>>>> 
>>>>> For EAP the outer Handler is only responsible for setting up the tunnel - it doesn't do any username checking.
>>>>> 
>>>>> You would typically have different Handlers, with the outer Handler just using an AuthBy FILE clause:
>>>> 
>>>> Maybe the EAP setup could be clarified a little more, especially to get
>>>> it to the list archive, or maybe even to the FAQ.
>>>> 
>>>> You mention that the outer handler does not check username and it can
>>>> use an AuthBy FILE. Is AuthBy FILE chosen because it is very simple to
>>>> configure? That would be my guess. As far as I can tell, there is
>>>> nothing special in AuthBy FILE why it should be used as the tunnel endpoint.
>>>> 
>>>> What we have been doing lately is this:
>>>> <AuthBy FILE>
>>>>  Filename /dev/null
>>>>  EAP_* directives
>>>>  AutoMPPEKeys
>>>>  ....
>>>> </AuthBy>
>>>> 
>>>> In other words, there does not seem to be need for a placeholder and the
>>>> even the file can be empty.
>>>> 
>>>> Is this for some reason a bad idea? Is the file containing a placeholder
>>>> usually mentioned because of backwards compatibility issues?
>>>> 
>>>> At least in the current versions of Radiator it looks like the file in
>>>> Filename is never even opened if the AuthBy only takes care of setting
>>>> up TLS tunnels.
>>>> 
>>>>> <Handler TunnelledByPEAP = 1>
>>>>>   .....
>>>>> </Handler>
>>>>> 
>>>>> <Handler TunnelledByTTLS = 1>
>>>>>   .....
>>>>> </Handler>
>>>>> 
>>>>> <Handler>
>>>>>   <AuthBy FILE>
>>>>>           .....
>>>>>           Filename %D/anonymous.user
>>>>>   </AuthBy>
>>>>> </Handler>
>>>>> 
>>>>> 
>>>>> File "%D/anonymous.user" would just contain something like this:
>>>>> 
>>>>> 
>>>>> # anonymous.user
>>>>> # this is just a placeholder
>>>>> 
>>>>> anonymous           Encrypted-Password = _this_will_never_match_anything_
>>>> 
>>>> 
>>> 
>>> 
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> Notice: This e-mail contains information that is confidential and may be privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list