[RADIATOR] Validate against ONLY the username (no password)
Greg Fuller
gregory.fuller at oswego.edu
Wed Apr 28 09:41:36 CDT 2010
We have a situation where we have XP SP3 clients that we'd like to do
machine based authentication on a wired 802.1x connection with. I
realize I can easily validate those systems by passing their credentials
across to my Active Directory contoller via the Auth NTLM module. I do
have that setup in another test config, and it works great -- but I'm
also looking for an alternative where we don't have to force the
credential validation up to the AD servers.
Basically I'd just like to validate the client machine credentials
against an AuthBy FILE with a file that just contains the client NetBIOS
names (ie: the Windows "computer name"). I can pretty easily
distinguish the machine credentials vs. user credentials as XP sends the
machine credentials across as "host/{netbios-name}". I DO NOT want to
use the password for validation, just username.
Anyone have any example configs of the above? I've been trying and just
can't seem to get the correct options to just validate against the
username and to skip the password check. If I do not specify the
username in the file I get the following debug messages (expected):
DEBUG: Radius::AuthFILE looks for match with host/hr-016754 [anonymous]
DEBUG: Radius::AuthFILE REJECT: No such user: host/hr-016754 [anonymous]
DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user host/hr-016754
DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 failed: no such user
host/hr-016754
INFO: Access rejected for anonymous: EAP MSCHAP V2 failed: no such user
host/hr-016754
When I add the "host/hr-016754" to the user file I get the following
debug messages (unexpected):
DEBUG: Radius::AuthFILE looks for match with host/hr-016754 [anonymous]
DEBUG: Radius::AuthFILE ACCEPT: : host/hr-016754 [anonymous]
DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication
failure
My userfile consists of:
anonymous
host/hr-016754
host/HR-016754
HOST/HR-016754
<Client 192.168.1.1>
Secret *****
DupInterval 0
Identifier VOIP-TEST-SWITCHES
IdenticalClients 192.168.1.2 192.168.1.3
IdenticalClients 192.168.5.1
</Client>
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
EAPType MSCHAP-V2
Filename %D/users
</AuthBy>
</Handler>
<Handler Client-Identifier=VOIP-TEST-SWITCHES>
<AuthBy FILE>
Filename %D/users
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
EAPTLS_PEAPVersion 0
EAPTLS_PEAPBrokenV1Label
</AuthBy>
# Log accounting to a detail file
AuthLog localAuthLogger
AcctLogFileName /var/log/radius/detail
</Handler>
I assumed that if I do not specify a password in the userfile that it
would skip the password check. Perhaps that is a wrong assumption
though.
I've been digging throug the reference manual, mailing list archives,
and the goodies directory looking for examples but haven't seen anything
similar to what I'm looking to do.
Seems like this should be pretty straight forward and I know I'm missing
something simple! Any help/examples are appreciated.
--greg
Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller
More information about the radiator
mailing list