[RADIATOR] question about machine based authentication

Heikki Vatiainen hvn at open.com.au
Thu Dec 8 16:07:48 CST 2011


On 12/07/2011 11:42 PM, Joy Veronneau wrote:

Hello Joy,

> I am still working on my machine based authentication config.
> 
> Config1 (below) works fine but requires that the names of the machines be
> listed in the file tls_anon.

Try with something like this:
<Handler ...>
   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert
</Handler>

With the above EAP-TLS will run first and when it is done and returns
ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome
of the whole authentication process.

Please let us know of your results

> I need to modify this config so that I do not need to maintain a list of
> host names on the radiator server and so that I can execute an external
> script that formats a Filter-Id for a VLAN name to return with the ACCEPT.
> I thought this would be pretty straight forward, see config2 below. The
> problem is that just this minor change causes the client to hang or
> something during the negotiation. Once the accept is sent, nothing else
> happens - we've verified this looking at the traffic on the AP. I've
> included a debug log as well.
> 
> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
> or I just can't use AuthBy EXTERNAL in combination with TLS?
> 
> TIA,
> Joy
> 
> -------
> config1: (works if names of computers are in tis_anon file)
> <AuthBy FILE>
>   Identifier TLS
>   Filename %D/tls_anon
>   EAPType TLS
>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>   EAPTLS_MaxFragmentSize 1000
>   AutoMPPEKeys
> </AuthBy>
> 
> <AuthBy EXTERNAL>
>   Identifier ADCERT
>   Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
> Filter-Id)
> </AuthBy>
> 
> 
> 
> <AuthBy GROUP>
>   Identifier dot1x_tls
>   AuthByPolicy ContinueWhileAccept
>   AuthBy TLS
> </AuthBy>
> 
> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
>   AuthByPolicy ContinueAlways
>   RewriteUsername s/^host\///
>   AuthBy dot1x_tls
>   AuthBy ADCERT
>   AcctLogFileName %L/%y%m%d-eduroam.log
> </Handler>
> ------------
> config2 (doesn't work. see log below.)
> #<AuthBy FILE>
> <AuthBy EXTERNAL>
>   Identifier TLS
> #        Filename %D/tls_anon
>   EAPType TLS
>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>   EAPTLS_MaxFragmentSize 1000
>   Command /app/radius/scripts/authby.ADCERT
>   AutoMPPEKeys
> </AuthBy>
> 
> <AuthBy GROUP>
>   Identifier dot1x_tls
>   AuthByPolicy ContinueWhileAccept
>   AuthBy TLS
> </AuthBy>
> 
> 
> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
>   AuthByPolicy ContinueAlways
>   RewriteUsername s/^host\///
>   AuthBy dot1x_tls
> #       AuthBy ADCERT
>   AcctLogFileName %L/%y%m%d-eduroam.log
>   AuthLog QRadar_WIRELESS
> </Handler>
> 
> -----------
> 
> the debug log
> 
> *** Received from 132.236.115.218 port 33004 ....
> Code:       Access-Request
> Identifier: 186
> Authentic:  <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
> Attributes:
>         User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
>         NAS-IP-Address = 132.236.115.218
>         NAS-Port = 1
>         NAS-Identifier = "cit.redrover.secure"
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "0014D1EA856B"
>         Called-Station-Id = "000B866222B0"
>         Service-Type = Login-User
>         Framed-MTU = 1100
>         EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
>         Aruba-Essid-Name = "eduroam-test"
>         Aruba-Location-Id = "test-rhodes-745-ap"
>         Message-Authenticator =
> <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p
> 
> Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
> 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
> Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
> CIT-JV11GTEST2.cit.cornell.edu
> Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
> host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
> Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls
> Wed Dec  7 16:32:46 2011: DEBUG: Running command:
> /app/radius/scripts/authby.ADCERT
> Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
> Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
> CIT-JV11GTEST2.cit.cornell.edu
> Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
> *** Sending to 132.236.115.218 port 33004 ....
> Code:       Access-Accept
> Identifier: 186
> Authentic:  <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204>
> Attributes:
>         Filter-Id = "eduroam-correct"
> 
> (That's all that's in the logsŠ)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list