[RADIATOR] Enforce EAPTLS

Markus Moeller huaraz at moeller.plus.com
Fri Dec 20 04:30:49 CST 2013 

Hi,



   I have a switch configure to do EAP TLS authentication and when I made an error in the config the following Access Request was sent to Radiator.





Code:       Access-Request

Identifier: 3

Authentic:  7O<24><227><149><222><130><147><179><146><194><195><181><206><190><11>

Attributes:

        User-Name = "0021aa6e1103"

        User-Password = <223><1><188><199><12><30><246><191><11><156>eV<211>*:<161>

        Service-Type = Call-Check

        Framed-MTU = 1500

        Called-Station-Id = "44-B4-A9-F9-42-A8"

        Calling-Station-Id = "00-21-DD-6F-35-03"

        Message-Authenticator = <27>]/<245><205><143>J<147><3>d7`<218><202>bG

        EAP-Key-Name = 

        NAS-Port-Type = Ethernet

        NAS-Port = 50140

        NAS-Port-Id = "GigabitEthernet1/0/40"

        NAS-IP-Address = 10.7.1.2



But to my surprise Radiator sent back a Accept





Wed Dec 18 10:14:12 2013: DEBUG: Handling request with Handler 'AuthType="radius"', Identifier ''

Wed Dec 18 10:14:12 2013: DEBUG:  Deleting session for 0021aa6e1103, 10.7.1.2, 50140

Wed Dec 18 10:14:12 2013: DEBUG: Handling with Radius::AuthFILE: EapTLS

Wed Dec 18 10:14:12 2013: DEBUG: Reading users file /opt/Radiator/users

Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with 0021aa6e1103 [0021aa6e1103]

Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE REJECT: No such user: 0021aa6e1103 [0021aa6e1103]

Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with DEFAULT [0021aa6e1103]

Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [0021aa6e1103]

Wed Dec 18 10:14:12 2013: DEBUG: AuthBy FILE result: ACCEPT, 

Wed Dec 18 10:14:12 2013: DEBUG: Packet dump:

*** Sending to 10.7.1.2 port 1645 ....

Code:       Access-Accept





My config is quite simple ( maybe too simple) 



<Handler AuthType="radius">

  AuthBy EapTLS

  AuthLog LogToSyslog

</Handler>





# EAPTLS authentication 

<AuthBy FILE>

  Identifier EapTLS

  # the file is used to check usernames (assuming EAP-TLS certificate checks pass):

  Filename %D/users

  EAPType TLS

  # WLAN Additional Certificate Check

  EAPTLS_CertificateVerifyHook file:"%D/hooks/eaptls_check.pl"

  # WLAN root CAs

  EAPTLS_CAFile %{GlobalVar:CertsDir}/CA/ca.pem



  EAPTLS_CertificateType PEM

  # Radiator Cert

  EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server/my_server_cert.pem

  # Radiator private key

  EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server/my_server_cert.key



  EAPTLS_MaxFragmentSize 1000



  EAPTLS_CRLCheck

  EAPTLS_CRLFile %{GlobalVar:CertsDir}/crls/ca.pem



  AutoMPPEKeys

</AuthBy>





What do I need to add that a Radius request without a EAP-Message does not get accepted ?   





Thank you

Markus 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20131220/85a8c47b/attachment.html

More information about the radiator mailing list