[RADIATOR] Enforce EAPTLS

Hartmaier Alexander alexander.hartmaier at t-systems.at
Fri Dec 20 06:40:12 CST 2013 

Ah, gotcha!

You need to change your Handler so it only matches EAP requests, for
example:

<Handler AuthType="radius", EAP-Message=/.+/>


On 2013-12-20 13:35, Markus Moeller wrote:
> Hi Alexander,
>  
>    But I need the default for the case when I get a successful EAPTLS
> exchange the user file is still checked and to avoid adding all users
> I need a DEFAULT don’t I ?
>  
> Markus
>  
>  
> *From:* Hartmaier Alexander <mailto:alexander.hartmaier at t-systems.at>
> *Sent:* Friday, December 20, 2013 10:52 AM
> *To:* radiator at open.com.au <mailto:radiator at open.com.au>
> *Subject:* Re: [RADIATOR] Enforce EAPTLS
>  
> Hi Markus,
> you didn't configure NoDefault, see in section 5.21.12 NoDefault in
> the Radiator Reference Manual for further details.
>
> On 2013-12-20 11:30, Markus Moeller wrote:
>>
>> Hi,
>>
>>  
>>
>>    I have a switch configure to do EAP TLS authentication and when I
>> made an error in the config the following Access Request was sent to
>> Radiator.
>>
>>  
>>
>>  
>>
>> Code:       Access-Request
>>
>> Identifier: 3
>>
>> Authentic: 
>> 7O<24><227><149><222><130><147><179><146><194><195><181><206><190><11>
>>
>> Attributes:
>>
>>         User-Name = "0021aa6e1103"
>>
>>         User-Password =
>> <223><1><188><199><12><30><246><191><11><156>eV<211>*:<161>
>>
>>         Service-Type = Call-Check
>>
>>         Framed-MTU = 1500
>>
>>         Called-Station-Id = "44-B4-A9-F9-42-A8"
>>
>>         Calling-Station-Id = "00-21-DD-6F-35-03"
>>
>>         Message-Authenticator =
>> <27>]/<245><205><143>J<147><3>d7`<218><202>bG
>>
>>         EAP-Key-Name =
>>
>>         NAS-Port-Type = Ethernet
>>
>>         NAS-Port = 50140
>>
>>         NAS-Port-Id = "GigabitEthernet1/0/40"
>>
>>         NAS-IP-Address = 10.7.1.2
>>
>>  
>>
>> But to my surprise Radiator sent back a Accept
>>
>>  
>>
>>  
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Handling request with Handler
>> 'AuthType="radius"', Identifier ''
>>
>> Wed Dec 18 10:14:12 2013: DEBUG:  Deleting session for 0021aa6e1103,
>> 10.7.1.2, 50140
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Handling with Radius::AuthFILE: EapTLS
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Reading users file /opt/Radiator/users
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match
>> with 0021aa6e1103 [0021aa6e1103]
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE REJECT: No such
>> user: 0021aa6e1103 [0021aa6e1103]
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match
>> with DEFAULT [0021aa6e1103]
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT
>> [0021aa6e1103]
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: AuthBy FILE result: ACCEPT,
>>
>> Wed Dec 18 10:14:12 2013: DEBUG: Packet dump:
>>
>> *** Sending to 10.7.1.2 port 1645 ....
>>
>> Code:       Access-Accept
>>
>>  
>>
>>  
>>
>> My config is quite simple ( maybe too simple)
>>
>>  
>>
>> <Handler AuthType="radius">
>>
>>   AuthBy EapTLS
>>
>>   AuthLog LogToSyslog
>>
>> </Handler>
>>
>>  
>>
>>  
>>
>> # EAPTLS authentication
>>
>> <AuthBy FILE>
>>
>>   Identifier EapTLS
>>
>>   # the file is used to check usernames (assuming EAP-TLS certificate
>> checks pass):
>>
>>   Filename %D/users
>>
>>   EAPType TLS
>>
>>   # WLAN Additional Certificate Check
>>
>>   EAPTLS_CertificateVerifyHook file:"%D/hooks/eaptls_check.pl"
>>
>>   # WLAN root CAs
>>
>>   EAPTLS_CAFile %{GlobalVar:CertsDir}/CA/ca.pem
>>
>>  
>>
>>   EAPTLS_CertificateType PEM
>>
>>   # Radiator Cert
>>
>>   EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server/my_server_cert.pem
>>
>>   # Radiator private key
>>
>>   EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server/my_server_cert.key
>>
>>  
>>
>>   EAPTLS_MaxFragmentSize 1000
>>
>>  
>>
>>   EAPTLS_CRLCheck
>>
>>   EAPTLS_CRLFile %{GlobalVar:CertsDir}/crls/ca.pem
>>
>>  
>>
>>   AutoMPPEKeys
>>
>> </AuthBy>
>>
>>  
>>
>>  
>>
>> What do I need to add that a Radius request without a EAP-Message
>> does not get accepted ?  
>>
>>  
>>
>>  
>>
>> Thank you
>>
>> Markus
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
> -- 
> Best regards, Alexander Hartmaier
>
> T-Systems Austria GesmbH
> TSS Security Services
> Network Security & Monitoring Engineer
>
> phone: +43(0)57057-4320
> fax: +43(0)57057-954320
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may
> be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>
> ------------------------------------------------------------------------
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20131220/b2b5c229/attachment-0001.html

More information about the radiator mailing list