[RADIATOR] question about machine based authentication

Joy Veronneau jv11 at cornell.edu
Fri Dec 9 08:37:18 CST 2011


Ok, that's what I was looking for! putting DEFAULT in the file yields the
desired behavior.

Thanks!

Joy

On 12/8/11 5:47 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 12/09/2011 12:31 AM, Joy Veronneau wrote:
>> Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
>> the computer name. Seems like I would want the cert name checked?
>> Is there a way I can still check the cert name?
>
>In this case you could try not enabling EAPTLS_NoCheckId and use
>Filename %D/tls_anon with this single line:
>DEFAULT
>
>Since NoDefault is not on, the DEFAULT entry will match and user lookup
>should be successful.
>
>Another option is to have EAPTLS_NoCheckId enabled and do name matching
>with EAPTLS_CertificateVerifyHook
>
>Thanks!
>Heikki
>
>
>> Sorry to have so many questionsŠ
>> 
>> Thanks,
>> Joy
>> 
>> On 12/8/11 5:26 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>> 
>>> On 12/09/2011 12:15 AM, Joy Veronneau wrote:
>>>
>>>> But if I do that, I will still have to have the names of the machines
>>>>in
>>>> the tls_anon file, wouldn't I?
>>>
>>> Good point, I overlooked that part. Please see ref.pdf section "5.20.46
>>> EAPTLS_NoCheckId". You can turn off the name check.
>>>
>>> Thanks!
>>> Heikki
>>>
>>>> Thanks,
>>>>
>>>> Joy
>>>>
>>>> On 12/8/11 5:07 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>>>>
>>>>> On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>>>>>
>>>>> Hello Joy,
>>>>>
>>>>>> I am still working on my machine based authentication config.
>>>>>>
>>>>>> Config1 (below) works fine but requires that the names of the
>>>>>>machines
>>>>>> be
>>>>>> listed in the file tls_anon.
>>>>>
>>>>> Try with something like this:
>>>>> <Handler ...>
>>>>>   AuthByPolicy ContinueWhileAccept
>>>>>   AuthBy file-tls
>>>>>   AuthBy external-adcert
>>>>> </Handler>
>>>>>
>>>>> With the above EAP-TLS will run first and when it is done and returns
>>>>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the
>>>>> outcome
>>>>> of the whole authentication process.
>>>>>
>>>>> Please let us know of your results
>> 
>
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.



More information about the radiator mailing list