[RADIATOR] Enforce EAPTLS

Markus Moeller huaraz at moeller.plus.com
Fri Dec 20 08:40:30 CST 2013


Hi Alexander,

   That might work, but accounting requests won’t have EAP-Message AV pairs. How could I identify them ?

Thank you
Markus

From: Hartmaier Alexander 
Sent: Friday, December 20, 2013 12:40 PM
To: Markus Moeller ; radiator at open.com.au 
Subject: Re: [RADIATOR] Enforce EAPTLS

Ah, gotcha!

You need to change your Handler so it only matches EAP requests, for example:

<Handler AuthType="radius", EAP-Message=/.+/>



On 2013-12-20 13:35, Markus Moeller wrote:

  Hi Alexander,

     But I need the default for the case when I get a successful EAPTLS exchange the user file is still checked and to avoid adding all users I need a DEFAULT don’t I ?

  Markus


  From: Hartmaier Alexander 
  Sent: Friday, December 20, 2013 10:52 AM
  To: radiator at open.com.au 
  Subject: Re: [RADIATOR] Enforce EAPTLS

  Hi Markus,
  you didn't configure NoDefault, see in section 5.21.12 NoDefault in the Radiator Reference Manual for further details.


  On 2013-12-20 11:30, Markus Moeller wrote:

    Hi,



       I have a switch configure to do EAP TLS authentication and when I made an error in the config the following Access Request was sent to Radiator.





    Code:       Access-Request

    Identifier: 3

    Authentic:  7O<24><227><149><222><130><147><179><146><194><195><181><206><190><11>

    Attributes:

            User-Name = "0021aa6e1103"

            User-Password = <223><1><188><199><12><30><246><191><11><156>eV<211>*:<161>

            Service-Type = Call-Check

            Framed-MTU = 1500

            Called-Station-Id = "44-B4-A9-F9-42-A8"

            Calling-Station-Id = "00-21-DD-6F-35-03"

            Message-Authenticator = <27>]/<245><205><143>J<147><3>d7`<218><202>bG

            EAP-Key-Name = 

            NAS-Port-Type = Ethernet

            NAS-Port = 50140

            NAS-Port-Id = "GigabitEthernet1/0/40"

            NAS-IP-Address = 10.7.1.2



    But to my surprise Radiator sent back a Accept





    Wed Dec 18 10:14:12 2013: DEBUG: Handling request with Handler 'AuthType="radius"', Identifier ''

    Wed Dec 18 10:14:12 2013: DEBUG:  Deleting session for 0021aa6e1103, 10.7.1.2, 50140

    Wed Dec 18 10:14:12 2013: DEBUG: Handling with Radius::AuthFILE: EapTLS

    Wed Dec 18 10:14:12 2013: DEBUG: Reading users file /opt/Radiator/users

    Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with 0021aa6e1103 [0021aa6e1103]

    Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE REJECT: No such user: 0021aa6e1103 [0021aa6e1103]

    Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match with DEFAULT [0021aa6e1103]

    Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [0021aa6e1103]

    Wed Dec 18 10:14:12 2013: DEBUG: AuthBy FILE result: ACCEPT, 

    Wed Dec 18 10:14:12 2013: DEBUG: Packet dump:

    *** Sending to 10.7.1.2 port 1645 ....

    Code:       Access-Accept





    My config is quite simple ( maybe too simple) 



    <Handler AuthType="radius">

      AuthBy EapTLS

      AuthLog LogToSyslog

    </Handler>





    # EAPTLS authentication 

    <AuthBy FILE>

      Identifier EapTLS

      # the file is used to check usernames (assuming EAP-TLS certificate checks pass):

      Filename %D/users

      EAPType TLS

      # WLAN Additional Certificate Check

      EAPTLS_CertificateVerifyHook file:"%D/hooks/eaptls_check.pl"

      # WLAN root CAs

      EAPTLS_CAFile %{GlobalVar:CertsDir}/CA/ca.pem



      EAPTLS_CertificateType PEM

      # Radiator Cert

      EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server/my_server_cert.pem

      # Radiator private key

      EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server/my_server_cert.key



      EAPTLS_MaxFragmentSize 1000



      EAPTLS_CRLCheck

      EAPTLS_CRLFile %{GlobalVar:CertsDir}/crls/ca.pem



      AutoMPPEKeys

    </AuthBy>





    What do I need to add that a Radius request without a EAP-Message does not get accepted ?   





    Thank you

    Markus 


     

_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

  -- 
  Best regards, Alexander Hartmaier

  T-Systems Austria GesmbH
  TSS Security Services
  Network Security & Monitoring Engineer

  phone: +43(0)57057-4320
  fax: +43(0)57057-954320




  *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
  T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
  Handelsgericht Wien, FN 79340b
  *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
  Notice: This e-mail contains information that is confidential and may be privileged.
  If you are not the intended recipient, please notify the sender and then
  delete this e-mail immediately.
  *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

------------------------------------------------------------------------------
  _______________________________________________
  radiator mailing list
  radiator at open.com.au
  http://www.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20131220/21bab771/attachment.html 


More information about the radiator mailing list