[RADIATOR] Enforce EAPTLS

Markus Moeller huaraz at moeller.plus.com
Fri Dec 20 06:35:13 CST 2013 

Hi Alexander,

   But I need the default for the case when I get a successful EAPTLS exchange the user file is still checked and to avoid adding all users I need a DEFAULT don’t I ?

Markus


From: Hartmaier Alexander 
Sent: Friday, December 20, 2013 10:52 AM
To: radiator at open.com.au 
Subject: Re: [RADIATOR] Enforce EAPTLS

Hi Markus,
you didn't configure NoDefault, see in section 5.21.12 NoDefault in the Radiator Reference Manual for further details.


On 2013-12-20 11:30, Markus Moeller wrote:

  Hi,



     I have a switch configure to do EAP TLS authentication and when I made an error in the config the following Access Request was sent to Radiator.





  Code:       Access-Request

  Identifier: 3

  Authentic:  7O<24><227><149><222><130><147><179><146><194><195><181><206><190><11>

  Attributes:

          User-Name = "0021aa6e1103"

          User-Password = <223><1><188><199><12><30><246><191><11><156>eV<211>*:<161>

          Service-Type = Call-Check

          Framed-MTU = 1500

          Called-Station-Id = "44-B4-A9-F9-42-A8"

          Calling-Station-Id = "00-21-DD-6F-35-03"

          Message-Authenticator = <27>]/<245><205><143>J<147><3>d7`<218><202>bG

          EAP-Key-Name = 

          NAS-Port-Type = Ethernet

          NAS-Port = 50140

          NAS-Port-Id = "GigabitEthernet1/0/40"

          NAS-IP-Address = 10.7.1.2



  But to my surprise Radiator sent back a Accept





  Wed Dec 18 10:14:12 2013: DEBUG: Handling request with Handler 'AuthType="radius"', Identifier ''

  Wed Dec 18 10:14:12 2013: DEBUG:  Deleting session for 0021aa6e1103, 10.7.1.2, 50140

  Wed Dec 18 10:14:12 2013: DEBUG: Handling with Radius::AuthFILE: EapTLS

  Wed Dec 18 10:14:12 2013: DEBUG: Reading users file /opt/Radiator/users

  Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with 0021aa6e1103 [0021aa6e1103]

  Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE REJECT: No such user: 0021aa6e1103 [0021aa6e1103]

  Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with DEFAULT [0021aa6e1103]

  Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [0021aa6e1103]

  Wed Dec 18 10:14:12 2013: DEBUG: AuthBy FILE result: ACCEPT, 

  Wed Dec 18 10:14:12 2013: DEBUG: Packet dump:

  *** Sending to 10.7.1.2 port 1645 ....

  Code:       Access-Accept





  My config is quite simple ( maybe too simple) 



  <Handler AuthType="radius">

    AuthBy EapTLS

    AuthLog LogToSyslog

  </Handler>





  # EAPTLS authentication 

  <AuthBy FILE>

    Identifier EapTLS

    # the file is used to check usernames (assuming EAP-TLS certificate checks pass):

    Filename %D/users

    EAPType TLS

    # WLAN Additional Certificate Check

    EAPTLS_CertificateVerifyHook file:"%D/hooks/eaptls_check.pl"

    # WLAN root CAs

    EAPTLS_CAFile %{GlobalVar:CertsDir}/CA/ca.pem



    EAPTLS_CertificateType PEM

    # Radiator Cert

    EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server/my_server_cert.pem

    # Radiator private key

    EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server/my_server_cert.key



    EAPTLS_MaxFragmentSize 1000



    EAPTLS_CRLCheck

    EAPTLS_CRLFile %{GlobalVar:CertsDir}/crls/ca.pem



    AutoMPPEKeys

  </AuthBy>





  What do I need to add that a Radius request without a EAP-Message does not get accepted ?   





  Thank you

  Markus 


   

_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

-- 
Best regards, Alexander Hartmaier

T-Systems Austria GesmbH
TSS Security Services
Network Security & Monitoring Engineer

phone: +43(0)57057-4320
fax: +43(0)57057-954320




*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*



--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20131220/e38839ba/attachment.html

More information about the radiator mailing list