[RADIATOR] Differentiating multiple TunneledByXXXX handlers

Martin Burton mvb at sanger.ac.uk
Thu Nov 12 08:04:23 CST 2009 

Hi Folks.

We're building a configuration for a secure wireless SSID to run
alongside our current open (guest friendly!) wireless implementation.

We've had this running fine in testing using the following simple config:

==== BEGIN CONFIG SNIP ====

<Handler TunnelledByTTLS=1>
        RewriteUsername      s/^([^@]+).*/$1/
        AuthByPolicy ContinueUntilAccept

	# If the EAP inner request is PAP then it will work against the user's
{crypt} password in LDAP

        <AuthBy LDAP2>
                Host ldap.internal.sanger.ac.uk
                BaseDN ou=people,dc=sanger,dc=ac,dc=uk
                UsernameAttr uid
                PasswordAttr userPassword
                ServerChecksPassword
        </AuthBy>

	# Otherwise we need to provide a cleartext password field in the LDAP
directory for things like CHAP/MSCHAP(v2) etc. to work against.  There
is a webpage for users to add the roamingPassword attribute if their
device does not support EAP-TTLS/PAP
        <AuthBy LDAP2>
                Host ldap.internal.sanger.ac.uk
                BaseDN ou=people,dc=sanger,dc=ac,dc=uk
                UsernameAttr uid
                PasswordAttr roamingPassword
        </AuthBy>
</Handler>

<Handler NAS-Identifier="WTSI">
        RewriteUsername      s/^([^@]+).*/$1/
        <AuthBy FILE>
                EAPType TTLS
                EAPTLS_CAFile %D/cacert.pem
                EAPTLS_CAPath
                EAPTLS_CertificateFile
%D/radiussrv3_internal_sanger_ac_uk-cert.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile
%D/radiussrv3_internal_sanger_ac_uk-key.pem
                EAPTLS_PrivateKeyPassword ****REDACTED****
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                Filename /opt/Radiator-4.4/eap_anon_user
        </AuthBy>
</handler>

==== END CONFIG SNIP ====

This is fine in testing where we are working with an isolated
development instance of Radiator.  However, when we move into production
there will be multiple TunneledByTTLS handlers to deal with different
NAS's (wireless and wired dot1x etc.)

I'd assumed that adding the NAS-Identifier to the EAP Inner Handler
clause so that it read:

<Handler TunnelledByTTLS=1,NAS-Identifier="WTSI">

would resolve the issue, but it seems that when the inner request is
redispatched to the handler code then the NAS-Identifier is not
maintained within the request, and subsequently Radiator fails to find a
handler for the EAP Inner request.

Is there some way to add some kind of identifying attribute to the inner
request so that we can differentiate between the originating NAS's?

Cheers,

Martin.
-- 
Martin Burton
Senior Systems Administrator               \\\|||///
Special Projects Team                     \\  ^ ^  //
Wellcome Trust Sanger Institute            (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
t: +44 (0)1223 496945             http://www.sanger.ac.uk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20091112/1c6a33b6/attachment.bin

More information about the radiator mailing list