[RADIATOR] How to differentiate between an EAP request and a normal request ?
Michael Harlow
Michael.Harlow at utas.edu.au
Sun Sep 27 23:10:00 CDT 2009
Markus,
With my Cisco switches, I get different attributes I can make handler decisions on, so I can match like this for TTY management access:
<Handler NAS-Port-Type=Virtual,Cisco-NAS-Port=/tty*/>
And this for the 802.1x user connection:
<Handler NAS-Port-Type=Ethernet>
Have a good look at the full packets (debug 4) and try to separate the requests. Don't forget that the order of the Handlers is important for matching too,
Cheers, Michael
-----------------------------------------------------------------
Yesterday is history, tomorrow is a mystery, but today is a gift.
That is why it is called the present. [Oogway - Kungfu Panda]
-----------------------------------------------------------------
Michael Harlow Private Bag 69
Network Engineer Hobart Tasmania 7001
IT Resources Ph 03 6226 1812
University of Tasmania Mob 0438 26 1812
Michael.Harlow at utas.edu.au Fx 03 6226 7171
-----------------------------------------------------------------
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Markus Moeller
Sent: Saturday, 26 September 2009 8:49 PM
To: Hugh Irvine
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] How to differentiate between an EAP request and a normal request ?
The device does EAP MD5-Challenge for MAC address authentication and I don't
think I need anything else (except the EAP command in the Authby FILE
section)
So I get from the same IP a request for username/password authentication and
a request for EAP MD5-Challenge authentication and I have to handle both
requests differently (e.g. use different databases)
Markus
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Saturday, September 26, 2009 10:03 AM
Subject: Re: [RADIATOR] How to differentiate between an EAP request and a
normal request ?
>
> Hello Markus -
>
> You don't mention EAP - what devices are doing EAP?
>
> If you have some EAP and some not, it probably makes more sense to do
> something like this:
>
> .....
>
> <Client n.n.n.n>
> Identifier TheSwitchThatNeedsSomethingSpecial
> .....
> </Client>
>
> ......
>
> <Handler TunnelledByTTLS = 1>
> .....
> </Handler>
>
> <Handler TunneledByPEAP = 1>
> ......
> </Handler>
>
> <Handler EAP-Message = /.+>
> .....
> </Handler>
>
> <Handler Client-Identifier = TheSwitchThatNeedsSomethingSpecial>
> .....
> </Handler>
>
> <Handler>
> .....
> </Handler>
>
> .....
>
> regards
>
> Hugh
>
>
> On 26 Sep 2009, at 05:38, Markus Moeller wrote:
>
>> I have a switch which does administrative user authentication and MAC
>> address authentication via Radius.
>>
>> Is this the best way to treat the request differently ?
>>
>> <Handler EAP-Message=/.+/,Message-Authenticator=/.+/>
>> AuthBy MACAuth
>> </Handler>
>>
>> <Handler>
>> AuthBy UserAuth
>> </Handler>
>>
>> Thank you
>> Markus
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator )?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list