[RADIATOR] Enforce EAPTLS
Hartmaier Alexander
alexander.hartmaier at t-systems.at
Fri Dec 20 04:52:05 CST 2013
Hi Markus,
you didn't configure NoDefault, see in section 5.21.12 NoDefault in the Radiator Reference Manual for further details.
On 2013-12-20 11:30, Markus Moeller wrote:
Hi,
I have a switch configure to do EAP TLS authentication and when I made an error in the config the following Access Request was sent to Radiator.
Code: Access-Request
Identifier: 3
Authentic: 7O<24><227><149><222><130><147><179><146><194><195><181><206><190><11>
Attributes:
User-Name = "0021aa6e1103"
User-Password = <223><1><188><199><12><30><246><191><11><156>eV<211>*:<161>
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "44-B4-A9-F9-42-A8"
Calling-Station-Id = "00-21-DD-6F-35-03"
Message-Authenticator = <27>]/<245><205><143>J<147><3>d7`<218><202>bG
EAP-Key-Name =
NAS-Port-Type = Ethernet
NAS-Port = 50140
NAS-Port-Id = "GigabitEthernet1/0/40"
NAS-IP-Address = 10.7.1.2
But to my surprise Radiator sent back a Accept
Wed Dec 18 10:14:12 2013: DEBUG: Handling request with Handler 'AuthType="radius"', Identifier ''
Wed Dec 18 10:14:12 2013: DEBUG: Deleting session for 0021aa6e1103, 10.7.1.2, 50140
Wed Dec 18 10:14:12 2013: DEBUG: Handling with Radius::AuthFILE: EapTLS
Wed Dec 18 10:14:12 2013: DEBUG: Reading users file /opt/Radiator/users
Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with 0021aa6e1103 [0021aa6e1103]
Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE REJECT: No such user: 0021aa6e1103 [0021aa6e1103]
Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with DEFAULT [0021aa6e1103]
Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [0021aa6e1103]
Wed Dec 18 10:14:12 2013: DEBUG: AuthBy FILE result: ACCEPT,
Wed Dec 18 10:14:12 2013: DEBUG: Packet dump:
*** Sending to 10.7.1.2 port 1645 ....
Code: Access-Accept
My config is quite simple ( maybe too simple)
<Handler AuthType="radius">
AuthBy EapTLS
AuthLog LogToSyslog
</Handler>
# EAPTLS authentication
<AuthBy FILE>
Identifier EapTLS
# the file is used to check usernames (assuming EAP-TLS certificate checks pass):
Filename %D/users
EAPType TLS
# WLAN Additional Certificate Check
EAPTLS_CertificateVerifyHook file:"%D/hooks/eaptls_check.pl"
# WLAN root CAs
EAPTLS_CAFile %{GlobalVar:CertsDir}/CA/ca.pem
EAPTLS_CertificateType PEM
# Radiator Cert
EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server/my_server_cert.pem
# Radiator private key
EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server/my_server_cert.key
EAPTLS_MaxFragmentSize 1000
EAPTLS_CRLCheck
EAPTLS_CRLFile %{GlobalVar:CertsDir}/crls/ca.pem
AutoMPPEKeys
</AuthBy>
What do I need to add that a Radius request without a EAP-Message does not get accepted ?
Thank you
Markus
_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator
--
Best regards, Alexander Hartmaier
T-Systems Austria GesmbH
TSS Security Services
Network Security & Monitoring Engineer
phone: +43(0)57057-4320
fax: +43(0)57057-954320
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20131220/1b55b10f/attachment-0001.html
More information about the radiator
mailing list