[RADIATOR] AuthBy File and EAPAnonymous

[Hugh Irvine]

Hello Craig -

As you have discovered, the AuthBy FILE will work no matter what actual users are defined.

And yes it will work if the user specifies anything at all - this is because the outer Handler is only negotiating the tunnel - the user is actually checked by the inner Handler when the user credentials arrive via the tunnel.

regards

Hugh


On 22 May 2010, at 07:49, craigsimons at sfu.ca wrote:

> Just a quick question regarding handing tunnelled protocol outer requests. I've been using file AuthBy below to handle incoming PEAP/TTLS requets. I originally set it up to check a file with the username "anonymous". However, while testing I commented out the Filename attribute and forgot about it. Now, upon re-examining the config, I'm trying to understand why it still works even though it's not checking any file. Is this because of the EAPAnonymous %0 attribute? If this is the case, is it reasonable to assume that this handler will work even if the users specifies something other than "anonymous"? 
> 
> <AuthBy FILE>
> 	#Say my name!
> 	Identifier AuthByDot1xAnonymous
> 	
> 	#No default user exists
> 	NoDefault
> 
> 	#File name
> 	#Filename %D/dot1x_anon.conf
> 	
> 	# EAP Types accepted
> 	EAPType TTLS, PEAP
> 	
> 	# Overwrite the outer tunnel userid with the inner tunnel userid
> 	EAPAnonymous %0
> 	
> 	# EAP Config
> 	EAPTLS_CAFile %D\cacert.pem
> 	EAPTLS_CertificateFile %D\cert.pem
> 	EAPTLS_CertificateType PEM
> 	EAPTLS_PrivateKeyFile %D\key.pem
> 	EAPTLS_MaxFragmentSize 1000
> 	AutoMPPEKeys
> 	EAPTLS_PEAPVersion 0
> 	EAPTLS_PEAPBrokenV1Label
> 	EAPTTLS_NoAckRequired
> 
> </AuthBy>
> 
> 
> Regards, 
> Craig
> 
> Craig Simons 
> Network Services 
> Simon Fraser University 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.