[RADIATOR] How to differentiate between an EAP request and a normal request ?

Michael Harlow Michael.Harlow at utas.edu.au
Sun Sep 27 23:10:00 CDT 2009


Markus, 

With my Cisco switches, I get different attributes I can make handler decisions on, so I can match like this for TTY management access:

<Handler NAS-Port-Type=Virtual,Cisco-NAS-Port=/tty*/>

And this for the 802.1x user connection:

<Handler NAS-Port-Type=Ethernet>

Have a good look at the full packets (debug 4) and try to separate the requests. Don't forget that the order of the Handlers is important for matching too,

Cheers, Michael


-----------------------------------------------------------------
Yesterday is history, tomorrow is a mystery, but today is a gift.
That is why it is called the present. [Oogway - Kungfu Panda]
-----------------------------------------------------------------
Michael Harlow                     Private Bag 69
Network Engineer                   Hobart Tasmania 7001
IT Resources                       Ph  03 6226 1812
University of Tasmania             Mob 0438 26 1812
Michael.Harlow at utas.edu.au         Fx  03 6226 7171
-----------------------------------------------------------------
  


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Markus Moeller
Sent: Saturday, 26 September 2009 8:49 PM
To: Hugh Irvine
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] How to differentiate between an EAP request and a normal request ?

The device does EAP MD5-Challenge for MAC address authentication and I don't 
think I need anything else (except the EAP command in the Authby FILE 
section)

So I get from the same IP a request for username/password authentication and 
a request for EAP MD5-Challenge authentication and I have to handle both 
requests differently (e.g. use different databases)

Markus

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Saturday, September 26, 2009 10:03 AM
Subject: Re: [RADIATOR] How to differentiate between an EAP request and a 
normal request ?


>
> Hello Markus -
>
> You don't mention EAP - what devices are doing EAP?
>
> If you have some EAP and some not, it probably makes more sense to do 
> something like this:
>
> .....
>
> <Client n.n.n.n>
> Identifier TheSwitchThatNeedsSomethingSpecial
> .....
> </Client>
>
> ......
>
> <Handler TunnelledByTTLS = 1>
> .....
> </Handler>
>
> <Handler TunneledByPEAP = 1>
> ......
> </Handler>
>
> <Handler EAP-Message = /.+>
> .....
> </Handler>
>
> <Handler Client-Identifier = TheSwitchThatNeedsSomethingSpecial>
> .....
> </Handler>
>
> <Handler>
> .....
> </Handler>
>
> .....
>
> regards
>
> Hugh
>
>
> On 26 Sep 2009, at 05:38, Markus Moeller wrote:
>
>> I have a switch which does administrative user authentication and  MAC 
>> address authentication via Radius.
>>
>> Is this the best way to treat the request differently ?
>>
>> <Handler EAP-Message=/.+/,Message-Authenticator=/.+/>
>>   AuthBy MACAuth
>> </Handler>
>>
>> <Handler>
>>   AuthBy UserAuth
>> </Handler>
>>
>> Thank you
>> Markus
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator )?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> 


_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list