[RADIATOR] question about machine based authentication

Heikki Vatiainen hvn at open.com.au
Thu Dec 8 16:47:43 CST 2011


On 12/09/2011 12:31 AM, Joy Veronneau wrote:
> Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
> the computer name. Seems like I would want the cert name checked?
> Is there a way I can still check the cert name?

In this case you could try not enabling EAPTLS_NoCheckId and use
Filename %D/tls_anon with this single line:
DEFAULT

Since NoDefault is not on, the DEFAULT entry will match and user lookup
should be successful.

Another option is to have EAPTLS_NoCheckId enabled and do name matching
with EAPTLS_CertificateVerifyHook

Thanks!
Heikki


> Sorry to have so many questionsŠ
> 
> Thanks,
> Joy
> 
> On 12/8/11 5:26 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
> 
>> On 12/09/2011 12:15 AM, Joy Veronneau wrote:
>>
>>> But if I do that, I will still have to have the names of the machines in
>>> the tls_anon file, wouldn't I?
>>
>> Good point, I overlooked that part. Please see ref.pdf section "5.20.46
>> EAPTLS_NoCheckId". You can turn off the name check.
>>
>> Thanks!
>> Heikki
>>
>>> Thanks,
>>>
>>> Joy
>>>
>>> On 12/8/11 5:07 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>>>
>>>> On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>>>>
>>>> Hello Joy,
>>>>
>>>>> I am still working on my machine based authentication config.
>>>>>
>>>>> Config1 (below) works fine but requires that the names of the machines
>>>>> be
>>>>> listed in the file tls_anon.
>>>>
>>>> Try with something like this:
>>>> <Handler ...>
>>>>   AuthByPolicy ContinueWhileAccept
>>>>   AuthBy file-tls
>>>>   AuthBy external-adcert
>>>> </Handler>
>>>>
>>>> With the above EAP-TLS will run first and when it is done and returns
>>>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the
>>>> outcome
>>>> of the whole authentication process.
>>>>
>>>> Please let us know of your results
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list