[RADIATOR] Handler for EAP selection

Carlos Parada carlos-f-parada at ptinovacao.pt
Mon Jan 25 09:58:31 CST 2010


Hi everybody,

I'm trying to configure my radiator server with a several handlers, sending a different set of attributes in the Access-Accept replay on each. I works fine for authentication (using staff like AddToReply, DefaultReply, AllowInReply, etc.). However, the problem is that it also adds the same set of attributes for accounting. This is strange for me since according to RFC 2866 no attributes should be sent on accounting responses. Actually, from the documentation we understand (not completely clear) that this set of attributes is only added for authentication.
My question is: how can I add this set of attributes only for authentication? I know that I can do this by settings the attributes on a per-subscriber basis in the subscriber database. However, all users would have the very same set of attributes, so I would like to avoid redundant data by setting this in the configuration on a per-handler basis.

Any tips? 
 

Best Regards, 
Carlos Parada 


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Hugh Irvine
Sent: sexta-feira, 22 de Janeiro de 2010 22:32
To: Markus Moeller
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Handler for EAP selection


Hello Markus -

You can try a PreProcessingHook in the default Handler together with an AuthBy Handler to redispatch the request.

Alternatively you could try a PreHandlerHook in the Client clause which adds some pseudo-attribute to the request to match a Handler.

See section 5.74 in the Radiator 4.5.1 reference manual ("doc/ref.pdf").

See also the example hooks in "goodies/hooks.txt".

regards

Hugh


On 22 Jan 2010, at 21:33, Markus Moeller wrote:

> Is there a way to select a Handler based on the EAP type ? As you can see I have to select somehow different files to check against.
>  
> <Handler   ...EAPType=MD5... >
>    Authby MACAuth
> </Handler>
>  
> <Handler   ...EAPTYPE=TLS... >
>    Authby CERTAuth
> </Handler>
>  
> #
> #       802.1x testing
> #
> <AuthBy FILE>
>   Identifier MACAuth
>   Filename %D/../data/mac_database
>   EAPType MD5-Challenge
> </AuthBy>
>  
>  
> <AuthBy FILE>
>   Identifier CERTAuth
>   Filename %D/../data/default_file_auth
>  
>   EAPType TLS
>  
>  
>   EAPTLS_CAFile %D/../data/certs/CA/ALL-ca-certs.pem
>  
>   EAPTLS_CertificateFile %D/../data/certs/cert.pem
>   EAPTLS_CertificateType PEM
>  
>   EAPTLS_PrivateKeyFile %D/../data/certs/key.pem
>   EAPTLS_PrivateKeyPassword bla
>  
>   EAPTLS_MaxFragmentSize 1000
>  
>   EAPTLS_CRLCheck
>  
>   EAPTLS_CRLFile %D/../data/certs/revocations.pem
> #
>   AutoMPPEKeys
> </AuthBy>
>  
> Thank you
> Markus
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list