[RADIATOR] Validate against ONLY the username (no password)

Greg Fuller gregory.fuller at oswego.edu
Wed Apr 28 09:41:36 CDT 2010


We have a situation where we have XP SP3 clients that we'd like to do
machine based authentication on a wired 802.1x connection with.  I
realize I can easily validate those systems by passing their credentials
across to my Active Directory contoller via the Auth NTLM module.  I do
have that setup in another test config, and it works great -- but I'm
also looking for an alternative where we don't have to force the
credential validation up to the AD servers.  

Basically I'd just like to validate the client machine credentials
against an AuthBy FILE with a file that just contains the client NetBIOS
names (ie: the Windows "computer name").  I can pretty easily
distinguish the machine credentials vs. user credentials as XP sends the
machine credentials across as "host/{netbios-name}".  I DO NOT want to
use the password for validation, just username.  

Anyone have any example configs of the above?  I've been trying and just
can't seem to get the correct options to just validate against the
username and to skip the password check.  If I do not specify the
username in the file I get the following debug messages (expected):

DEBUG: Radius::AuthFILE looks for match with host/hr-016754 [anonymous]
DEBUG: Radius::AuthFILE REJECT: No such user: host/hr-016754 [anonymous]
DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user host/hr-016754
DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 failed: no such user
host/hr-016754
INFO: Access rejected for anonymous: EAP MSCHAP V2 failed: no such user
host/hr-016754

When I add the "host/hr-016754" to the user file I get the following
debug messages (unexpected):

DEBUG: Radius::AuthFILE looks for match with host/hr-016754 [anonymous]
DEBUG: Radius::AuthFILE ACCEPT: : host/hr-016754 [anonymous]
DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication
failure


My userfile consists of:

anonymous
host/hr-016754
host/HR-016754
HOST/HR-016754


<Client 192.168.1.1>
	Secret  *****
	DupInterval 0
	Identifier      VOIP-TEST-SWITCHES
	IdenticalClients        192.168.1.2     192.168.1.3
	IdenticalClients        192.168.5.1
</Client>

<Handler TunnelledByPEAP=1>
        <AuthBy FILE>
			EAPType MSCHAP-V2
			Filename %D/users
        </AuthBy>
</Handler>

<Handler Client-Identifier=VOIP-TEST-SWITCHES>
        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP
                EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                EAPTLS_PrivateKeyPassword whatever
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                EAPTLS_PEAPVersion 0
                EAPTLS_PEAPBrokenV1Label
        </AuthBy>
        # Log accounting to a detail file
        AuthLog localAuthLogger
        AcctLogFileName /var/log/radius/detail
</Handler>

I assumed that if I do not specify a password in the userfile that it
would skip the password check.  Perhaps that is a wrong assumption
though.  

I've been digging throug the reference manual, mailing list archives,
and the goodies directory looking for examples but haven't seen anything
similar to what I'm looking to do.  

Seems like this should be pretty straight forward and I know I'm missing
something simple!  Any help/examples are appreciated.  

--greg


Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller



More information about the radiator mailing list