[RADIATOR] question about machine based authentication

Joy Veronneau jv11 at cornell.edu
Wed Dec 7 15:42:13 CST 2011 

Hi,

I am still working on my machine based authentication config.

Config1 (below) works fine but requires that the names of the machines be
listed in the file tls_anon.

I need to modify this config so that I do not need to maintain a list of
host names on the radiator server and so that I can execute an external
script that formats a Filter-Id for a VLAN name to return with the ACCEPT.
I thought this would be pretty straight forward, see config2 below. The
problem is that just this minor change causes the client to hang or
something during the negotiation. Once the accept is sent, nothing else
happens - we've verified this looking at the traffic on the AP. I've
included a debug log as well.

I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
or I just can't use AuthBy EXTERNAL in combination with TLS?

TIA,
Joy

-------
config1: (works if names of computers are in tis_anon file)
<AuthBy FILE>
  Identifier TLS
  Filename %D/tls_anon
  EAPType TLS
  EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
  EAPTLS_CertificateFile /app/radius/keys/agate1.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
  EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
  EAPTLS_MaxFragmentSize 1000
  AutoMPPEKeys
</AuthBy>

<AuthBy EXTERNAL>
  Identifier ADCERT
  Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
Filter-Id)
</AuthBy>



<AuthBy GROUP>
  Identifier dot1x_tls
  AuthByPolicy ContinueWhileAccept
  AuthBy TLS
</AuthBy>

<Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
  AuthByPolicy ContinueAlways
  RewriteUsername s/^host\///
  AuthBy dot1x_tls
  AuthBy ADCERT
  AcctLogFileName %L/%y%m%d-eduroam.log
</Handler>
------------
config2 (doesn't work. see log below.)
#<AuthBy FILE>
<AuthBy EXTERNAL>
  Identifier TLS
#        Filename %D/tls_anon
  EAPType TLS
  EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
  EAPTLS_CertificateFile /app/radius/keys/agate1.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
  EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
  EAPTLS_MaxFragmentSize 1000
  Command /app/radius/scripts/authby.ADCERT
  AutoMPPEKeys
</AuthBy>

<AuthBy GROUP>
  Identifier dot1x_tls
  AuthByPolicy ContinueWhileAccept
  AuthBy TLS
</AuthBy>


<Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
  AuthByPolicy ContinueAlways
  RewriteUsername s/^host\///
  AuthBy dot1x_tls
#       AuthBy ADCERT
  AcctLogFileName %L/%y%m%d-eduroam.log
  AuthLog QRadar_WIRELESS
</Handler>

-----------

the debug log

*** Received from 132.236.115.218 port 33004 ....
Code:       Access-Request
Identifier: 186
Authentic:  <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
Attributes:
        User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
        NAS-IP-Address = 132.236.115.218
        NAS-Port = 1
        NAS-Identifier = "cit.redrover.secure"
        NAS-Port-Type = Wireless-IEEE-802-11
        Calling-Station-Id = "0014D1EA856B"
        Called-Station-Id = "000B866222B0"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
        Aruba-Essid-Name = "eduroam-test"
        Aruba-Location-Id = "test-rhodes-745-ap"
        Message-Authenticator =
<139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p

Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls
Wed Dec  7 16:32:46 2011: DEBUG: Running command:
/app/radius/scripts/authby.ADCERT
Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 ....
Code:       Access-Accept
Identifier: 186
Authentic:  <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204>
Attributes:
        Filter-Id = "eduroam-correct"

(That's all that's in the logsŠ)

More information about the radiator mailing list