[RADIATOR] missing request attributes with TunnelledByPEAP

Heikki Vatiainen hvn at open.com.au
Thu Feb 16 17:38:05 CST 2012 

On 02/16/2012 10:39 AM, Alexander Hartmaier wrote:

> I had to upgrade Radiator which was version 4.8 on this server so that
> it knows PreHandlerHook.

It should work with 4.8 and earlier versions too. It was documented in
the latest reference manual, but the functionality should have been
there. Sorry if I was unclear about this.

> It works when the PreHandlerHook is in the AuthBy but not when it is in
> the Handler but doesn't warn about the PreHandlerHook in the Handler.
> Is both supported for different usages?

You are correct, it goes in AuthBy. When I took a look at one example
configuration I had, I mistakingly thought I was looking at a Handler.
The correct place is AuthBy. Thanks for notifying about this.

> What confused me is the fact that the copied attribute isn't visible in
> the trace file but the dispatching still works:

Since the PreHandlerHook runs just before the inner request is
dispatched for handling, packet dumping trace happens just immediately
before the hook runs. So what you are seeing in the log is the packet
dump before the PreHandlerHook runs.

I'll make a note about this and see if the order can be reversed. First
PreHandlerHook and then inner request dump. That would make it easier to
follow what gets added into inner request.

If you add this as the last line in your hook, it will show how the
inner request was changed:

   main::log($main::LOG_DEBUG, "PEAP Tunnelled request Packet dump after
PreHandlerHook\n" . $tp->dump)

Thanks!
Heikki


> Thu Feb 16 09:34:34 2012: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Thu Feb 16 09:34:34 2012: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <30><142><221><130>g<220><185>cI<189><138>Z<234>6*~
> Attributes:
>         EAP-Message = <2><12><0><2><13><0>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 10.1.2.3
>         NAS-Identifier = "nas.fqdn.net"
>         NAS-Port = 13
>         Calling-Station-Id = "00-21-6a-42-e8-46"
>         User-Name = "anonymous"
> 
> Thu Feb 16 09:34:34 2012: DEBUG: Handling request with Handler
> 'Client-Identifier="wlancontroller", Called-Station-Id=/:SSID$/,
> TunnelledByPEAP=1', Identifier ''
> 
> Best regards, Alex
> 
> Am 2012-02-15 19:40, schrieb Heikki Vatiainen:
>> On 02/15/2012 05:18 PM, Alexander Hartmaier wrote:
>>
>> Hello Alex,
>>
>>> The inner TLS packet is matched by
>>> <Handler Client-Identifier="wlancontroller", TunnelledByPEAP=1>
>>> but in case we want to have multiple SSIDs using PEAP-something we can't
>>> distinguish the inner request because the Called-Station-Id isn't
>>> included in the inner request.
>>>
>>> Is there an option which attributes get copied to the inner request packet?
>> You can use PreHandlerHook. It is now documented in 4.9 ref.pdf too:
>>
>>   5.20.65 PreHandlerHook
>>   For EAP types that carry inner requests (such as PEAP, TTLS, FAST
>>   etc), specifies a Perl hook to be called before the inner request
>>   is redispatched to a matching Realm or Handler.
>>
>>
>> In the outer Handler do something like this:
>>
>> PreHandlerHook sub { \
>>   my $tp = ${$_[0]}; \
>>   $tp->add_attr('Called-Station-Id', \
>>                 $tp->{outerRequest}->get_attr('Called-Station-Id')); \
>>   };
>>
>> tp stands for tunnelled packet. It can be manipulated with
>> PreHandlerHook from the outer Handler.
>>
>> Thanks!
>> Heikki
>>
>>
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list