[RADIATOR] EAP-PEAP-MSCAHCAPV and EAP-PEAP-TLS ( smartcard)

Heikki Vatiainen hvn at open.com.au
Wed Jun 22 04:12:49 CDT 2011 

On 06/22/2011 11:29 AM, Vandenbroucke Luc wrote:

Hello Luc,

> I think the config below is fine now. ( And MSCAHCAPV means MSCHAP-V2... )

What you have looks good. Please see my comments below.

> But I'm new to radiator ... So if anyone thinks I'm doing stupid things, please tell me before this thing will be in production .
> 
> The handler with EAPType=TLS ids doing everything for the smartcards. I even can use a separate ca : the smartcard CA 
> 
> For Windows it handles automatic machine authentication host/pcxxx.x.y, user dom/username, with no realm,
> And manual user input user at x.y with realm x.y ( necessary for eduroam)
> 
> Does this works by accident, or is everything ok like this ?
> Specifying Realm=  ,means Realm = NULL ,  I hope, and not Realm Default.

Realm is everything after @ character, so this looks good. About
specifying Realms, please see below.

> <AuthBy LSA>	
> 	Identifier LSASCK
> 	UsernameMatchesWithoutRealm
> 	DefaultDomain SCK.BE
> 	#Group Administrators
> 	EAPType MSCHAP-V2
> 	AddToReply Trapeze-VLAN-Name="guest" 
> </AuthBy>
> 
> #Here I'm using a public CA and server certificate, for proxying through the eduroam network.
> <AuthBy LSA>
> 	Identifier LSAPEAP
> 	EAPType PEAP,TTLS
> 	DefaultDomain SCK.BE
> 	EAPTLS_CAFile %D/certificates/Addtrust/AddTrustChain.pem
> 	EAPTLS_CertificateFile %D/certificates/radius.pem
> 	EAPTLS_CertificateType PEM
> 	EAPTLS_PrivateKeyFile %D/certificates/radius.pvk
> 	EAPTLS_MaxFragmentSize 1000
> 	AutoMPPEKeys
> 	EAPTLS_PEAPVersion 0
> 	EAPTLS_PEAPBrokenV1Label
> </AuthBy>
> 
> 
> 
> <Handler TunnelledByPEAP=1,Realm=sck.be>
> 	AuthBy LSASCK
> </Handler>

You did not specify EAPAnonymous in PEAP handler's AuthBy, so User-Name
will always be anonymous for inner PEAP and the realm is empty. If you
check the logs, you should see that the above Handler never matches PEAP
inner requests.

If TTLS inner request has User-Name attribute, it will not be touched by
EAPAnonymous ever. I noticed you do not have any TunnelledByTTLS
handlers even if you allow it above with EAPType.

> #empty realm when automatic login by windows.
> <Handler TunnelledByPEAP=1,Realm=>
> 	AuthBy LSASCK
> </Handler>

This is the handler that always matches inner PEAP when EAPAnonymous has
not been set.

> <Handler EAPType=PEAP,Realm=> 
> 	AuthBy LSAPEAP
> </Handler>
> 
> <Handler EAPType=PEAP,Realm=sck.be> 
> 	AuthBy LSAPEAP
> </Handler>

You could replace the above two handlers with this:

<Handler EAPType=PEAP, Realm=/^(|sck\.be)$/>
	AuthBy LSAPEAP
</Handler>


> # Windows Smartcard authentication
> # I'm using an internal CA, and server Certificate, from the same CA that provides the smartcards.
> # this is only internally.  Because no outside company will trust our ca, but neither will they proxy or smartcard request.
> <Handler EAPType=TLS> 
> 	Identifier HPEAPTLS
> 	<AuthBy FILE>
> 		Filename %D/users
> 		EAPType TLS
> 		EAPTLS_CAFile %D/certificates/sckCA/sckCA.pem
> 		EAPTLS_CertificateFile %D/certificates/pc2848.pem
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile %D/certificates/pc2848.pvk
> 		EAPTLS_PrivateKeyPassword whatever
> 		EAPTLS_MaxFragmentSize 1000
> 		AutoMPPEKeys
> 		EAPTLS_SessionResumption 0
> 		AddToReplyIfNotExist Trapeze-VLAN-Name="guest"
> 	</AuthBy>
> </Handler>

You should consider adding a default Handler that catches the rest of
the requests. Otherwise requests with no matching Handler are ignored
and can cause NASes to mark the server dead.

# This is the default handler
<Handler>
  Identifier default-handler
  <AuthBy INTERNAL>
      Identifier default-authby
      # See ref.pdf for values that suit your environment
  </AuthBy>
</Handler>


Thanks!

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list