[RADIATOR] question about machine based authentication
Joy Veronneau
jv11 at cornell.edu
Thu Dec 8 16:15:08 CST 2011
But if I do that, I will still have to have the names of the machines in
the tls_anon file, wouldn't I?
Thanks,
Joy
On 12/8/11 5:07 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>
>Hello Joy,
>
>> I am still working on my machine based authentication config.
>>
>> Config1 (below) works fine but requires that the names of the machines
>>be
>> listed in the file tls_anon.
>
>Try with something like this:
><Handler ...>
> AuthByPolicy ContinueWhileAccept
> AuthBy file-tls
> AuthBy external-adcert
></Handler>
>
>With the above EAP-TLS will run first and when it is done and returns
>ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome
>of the whole authentication process.
>
>Please let us know of your results
>
>> I need to modify this config so that I do not need to maintain a list of
>> host names on the radiator server and so that I can execute an external
>> script that formats a Filter-Id for a VLAN name to return with the
>>ACCEPT.
>> I thought this would be pretty straight forward, see config2 below. The
>> problem is that just this minor change causes the client to hang or
>> something during the negotiation. Once the accept is sent, nothing else
>> happens - we've verified this looking at the traffic on the AP. I've
>> included a debug log as well.
>>
>> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
>> or I just can't use AuthBy EXTERNAL in combination with TLS?
>>
>> TIA,
>> Joy
>>
>> -------
>> config1: (works if names of computers are in tis_anon file)
>> <AuthBy FILE>
>> Identifier TLS
>> Filename %D/tls_anon
>> EAPType TLS
>> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>> EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>> EAPTLS_MaxFragmentSize 1000
>> AutoMPPEKeys
>> </AuthBy>
>>
>> <AuthBy EXTERNAL>
>> Identifier ADCERT
>> Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
>> Filter-Id)
>> </AuthBy>
>>
>>
>>
>> <AuthBy GROUP>
>> Identifier dot1x_tls
>> AuthByPolicy ContinueWhileAccept
>> AuthBy TLS
>> </AuthBy>
>>
>> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
>> AuthByPolicy ContinueAlways
>> RewriteUsername s/^host\///
>> AuthBy dot1x_tls
>> AuthBy ADCERT
>> AcctLogFileName %L/%y%m%d-eduroam.log
>> </Handler>
>> ------------
>> config2 (doesn't work. see log below.)
>> #<AuthBy FILE>
>> <AuthBy EXTERNAL>
>> Identifier TLS
>> # Filename %D/tls_anon
>> EAPType TLS
>> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>> EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>> EAPTLS_MaxFragmentSize 1000
>> Command /app/radius/scripts/authby.ADCERT
>> AutoMPPEKeys
>> </AuthBy>
>>
>> <AuthBy GROUP>
>> Identifier dot1x_tls
>> AuthByPolicy ContinueWhileAccept
>> AuthBy TLS
>> </AuthBy>
>>
>>
>> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
>> AuthByPolicy ContinueAlways
>> RewriteUsername s/^host\///
>> AuthBy dot1x_tls
>> # AuthBy ADCERT
>> AcctLogFileName %L/%y%m%d-eduroam.log
>> AuthLog QRadar_WIRELESS
>> </Handler>
>>
>> -----------
>>
>> the debug log
>>
>> *** Received from 132.236.115.218 port 33004 ....
>> Code: Access-Request
>> Identifier: 186
>> Authentic:
>><201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
>> Attributes:
>> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
>> NAS-IP-Address = 132.236.115.218
>> NAS-Port = 1
>> NAS-Identifier = "cit.redrover.secure"
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Calling-Station-Id = "0014D1EA856B"
>> Called-Station-Id = "000B866222B0"
>> Service-Type = Login-User
>> Framed-MTU = 1100
>> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
>> Aruba-Essid-Name = "eduroam-test"
>> Aruba-Location-Id = "test-rhodes-745-ap"
>> Message-Authenticator =
>> <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p
>>
>> Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler
>> 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
>> Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to
>> CIT-JV11GTEST2.cit.cornell.edu
>> Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for
>> host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
>> Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP:
>>dot1x_tls
>> Wed Dec 7 16:32:46 2011: DEBUG: Running command:
>> /app/radius/scripts/authby.ADCERT
>> Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0
>> Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>> Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for
>> CIT-JV11GTEST2.cit.cornell.edu
>> Wed Dec 7 16:32:46 2011: DEBUG: Packet dump:
>> *** Sending to 132.236.115.218 port 33004 ....
>> Code: Access-Accept
>> Identifier: 186
>> Authentic: <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204>
>> Attributes:
>> Filter-Id = "eduroam-correct"
>>
>> (That's all that's in the logsŠ)
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>--
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
More information about the radiator
mailing list