[RADIATOR] Radiator EAP-TTLS and Aruba

Bob Shafer bshafer at du.edu
Wed Jul 1 06:31:19 CDT 2009


Hugh,

Thanks.  I'll give that a try and let you know if it works for us or not.

Bob

Hugh Irvine wrote:
> 
> Hello Bob -
> 
> You just have to return the User-Name attrribute set to the inner 
> identity in the access accept.
> 
> Something like this:
> 
> In your inner Handler:
> 
> 
> <Handler TunnelledByTTLS = 1>
> 
>     <AuthBy ....>
> 
>         .....
> 
>         AddToReply User-Name = %{User-Name}
> 
>     </AuthBy>
> 
> </Handler>
> 
> 
> and in your outer Handler:
> 
> 
> <Handler>
> 
>     <AuthBy ....>
> 
>         .....
>        
>         EAPAnonymous = %0
> 
>     </AuthBy>
> 
> </Handler>
> 
>     
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> On 30 Jun 2009, at 20:39, Bob Shafer wrote:
> 
>> I attempted to resolve the User-Name issue with EAP-TTLS by using the 
>> eap-anon-hook.  It worked okay, but I was not comfortable using the 
>> supplicant's MAC level address, in the calling-station-id, and the 
>> only consistent attribute reported in both authentication and 
>> accounting packets, that could be used as a key.
>>
>> When I contacted Aruba support they suggested this:
>>
>> "Aruba controller can only review the
>> outer-eap-id only.  On Freeradius, there is a "copy to outer tunnel"
>> option under eap.conf which should allow the Radius server to reply
>> inner-eap-id to User-Name on radius access accept packet to the Aruba
>> controller.  There is also similar support on the Juniper's steel-belted
>> radius.  There may be similar on radiator.  Aruba controller will take
>> this returned User-Name attribute and replace the outer-eap-id from
>> client and utilize it in radius accounting as well as "show user-table"
>> output."
>>
>> I understand what the want, and have an idea about how I might 
>> implement this, but wondered if someone else had already invented the 
>> wheel?
>>
>> If not, I'm open to ideas about how best to implement it.
>>
>> Thanks,
>>
>> Bob
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3577 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20090701/2fe2c6d6/attachment.bin 


More information about the radiator mailing list