[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

Heikki Vatiainen hvn at open.com.au
Wed Apr 2 13:49:29 CDT 2014


On 04/01/2014 10:42 PM, Michael Rodrigues wrote:

> I attempted to implement your suggestions on items 1 and 2. 1 is 
> straightforward, but I'm still a bit puzzled by 2.

You can simplify the configuration by leaving out the EAPTLS_* options
from TunnelledBy* Handlers. Since the allowed EAP type for inner PEAP is
EAP-MSCHAP-V2, the cert settings are not needed.

For inner TTLS you can also set EAPType to MSCHAP-V2, but TTLS for inner
TTLS as an EAPType is not useful. Most likely you can leave out EAPType
completely: the clients seem to use PAP or *CHAP in many cases.

> I looked at eap_peap 
> and eap_multi in goodies to get an idea of what to do. Using your 
> comments and the docs, I made some changes, adding two inner request 
> handlers, one for PEAP and one for TTLS. I tried implementing the Hook 
> but my NAS still reports the wrong user if I put some random username in 
> the 'anonymous identity' field on my wireless client.

Now when I took a better look at the hook, it seems to assume the
username has 'anonymous' or is empty. It might be easier and more
consistent to leave out the hooks from inner Handlers and experiment
with something like this in the outer Handler:

PostAuthHook sub { my $rp = ${$_[1]};
$rp->changeUserName($rp->{inner_identity}); }

PEAP and TTLS both export the inner EAP identity (or TTLS inner username
when EAP is not used). The inner identity is exported to outer reply
message and can be retrieved as above.

The above does not enforce same @realm for the returned User-Name that
was used with incoming Access-Accept but you could experiment and see if
the above PostAuthHook works better.

Note: I noticed that if EAP, for example EAP-MSCHAP-V2, is used for
inner TTLS, the export seems not to work currently. We'll need to check why.

Thanks,
Heikki


> Topic 3, the SSO stuff is  a ways a away, but I will write the list with 
> any insight I have once I attempt it.
> 
> Here's my config:
> 
> 
> ##########                      ##########
> #####   Radiator Configuration       #####
> #########                       ##########
> 
> ##      Updated 4/1/2014
> ##      Note this file is derived from pre-testing version provided by 
> mrodrigues
> 
> #This handler catches all "Accounting-Request" packets.
> #We only log Start and Stop accounting packets as Alive
> #packets are basically useless for our purposes. If you
> #would like to grab these packets, delete the "HandleAcctStatusTypes"
> #directive below, or edit as obviously necessary.
> 
> #<Handler Request-Type=Accounting-Request>
> 
> #<AuthBy SQL>
> #        DBSource        dbi:mysql:radius:127.0.0.1:3306
> #        DBUsername      radius
> #        DBAuth  xxx
> #HandleAcctStatusTypes Start,Stop
> # This statement inserts the accounting information into the SQL databasee.
> 
> #AcctSQLStatement insert into ggse_public 
> values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL);
> 
> # This will log messages from within the SQL insert statement
> 
> #<Log FILE>
> #Filename debug.config
> #</Log>
> 
> #</AuthBy>
> 
> #</Handler>
> 
> #below was added on 2/4/13 to catch ALL iterations of logins that are 
> BlackListed.
> RewriteUsername         tr/A-Z/a-z/
> 
> #These are the subnets from which calls to the RADIUS server are allowed.
> 
> <Client 10.99.1.250>
>          Secret testing123
>          DupInterval 0
> </Client>
> 
> 
> <Handler User-Name=/^host\//>
>    # AuthBy INTERNAL will reject here
>    # This catches computers trying to auth
> </Handler>
> 
> <Handler TunnelledByPEAP=1>
>      <AuthBy NTLM>
>              NtlmAuthProg    /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
>              Domain         AD
>              EAPType        MSCHAP-V2
>              #EAPTLS_CAFile     /etc/radiator/certs/demoCA/cacert.pem
>              EAPTLS_CAFile 
> /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
>              #EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
>              EAPTLS_CertificateFile 
> /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
>              EAPTLS_CertificateType PEM
>              EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
>              EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key
>              #EAPTLS_PrivateKeyPassword whatever
>              AutoMPPEKeys
>      </AuthBy>
>      PostAuthHook file:"goodies/eap_acct_username.pl"
> </Handler>
> 
> <Handler TunnelledByTTLS=1>
>      <AuthBy NTLM>
>              NtlmAuthProg    /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
>              Domain         AD
>              EAPType        TTLS
>              #EAPTLS_CAFile     /etc/radiator/certs/demoCA/cacert.pem
>              EAPTLS_CAFile 
> /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
>              #EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
>              EAPTLS_CertificateFile 
> /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
>              EAPTLS_CertificateType PEM
>              EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
>              EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key
>              #EAPTLS_PrivateKeyPassword whatever
>      </AuthBy>
>      PostAuthHook file:"goodies/eap_acct_username.pl"
> </Handler>
> 
> <Handler>
>      <AuthBy GROUP>
> 
>          AuthByPolicy ContinueWhileAccept
> 
>           # Make sure MAC address is not blacklisted..
>          <AuthBy FILE>
>              NoEAP
>              # Calling-Station-Id attribute is the user's MAC in this case.
>              AuthenticateAttribute Calling-Station-Id
>              AcceptIfMissing
>              Filename /etc/radiator/MacAddrBlacklist.txt
>          </AuthBy>
> 
>          # Make sure USERNAME is not blacklisted..
>          <AuthBy FILE>
>              NoEAP
>              AcceptIfMissing
>              Filename /etc/radiator/UsernameBlacklist.txt
>          </AuthBy>
> 
>          <AuthBy NTLM>
>              NtlmAuthProg    /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
>              Domain         AD
>              EAPType        PEAP, TTLS
>              #EAPTLS_CAFile     /etc/radiator/certs/demoCA/cacert.pem
>              EAPTLS_CAFile 
> /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
>              #EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
>              EAPTLS_CertificateFile 
> /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
>              EAPTLS_CertificateType PEM
>              EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
>              EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key
>              #EAPTLS_PrivateKeyPassword whatever
>              AutoMPPEKeys
>          </AuthBy>
>      </AuthBy>
>      PostAuthHook file:"goodies/eap_acct_username.pl"
> </Handler>
> 
> #This logs to /var/log/radius/logfile
> #Not really necessary, we have SQL logs.
> <Log FILE>
> Filename logfile
> </Log>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 3/26/2014 2:35 PM, Heikki Vatiainen wrote:
>> On 03/26/2014 07:33 PM, Michael Rodrigues wrote:
>>
>>>   1. How do I allow only directory users to authenticate, while
>>>      preventing machine accounts from being authenticated?
>> Use a Handler to catch these:
>>
>> <Handler User-Name=/^host\//>
>>     # AuthBy INTERNAL with reject here
>> </Handler>
>>
>> should do the trick. I would also consider using a separate Handler for
>> inner and outer requests. See goodies/eap_peap.cfg for an example.
>>
>>>   2. Will the eap_acct_username.pl prevent users from showing up as
>>>      'anonymous' in my accounting requests for all allowed types of auth?
>>>      (PEAP, TTLS, MSCHAP-V2)
>> This hook seems to return User-Name with Access-Accept to tell the NAS
>> to use this username for the subsequent Accounting-Requests. I'd
>> consider using a Hook, maybe PostAuthHook, in the inner Handler to write
>> the real username in the outer requests EAP context. When the final
>> Access-Accept is returned to the client, a PostAuthHook in the outer
>> Handler can set the User-Name. This could be done after the
>> authentication works otherwise.
>>
>>>   3. Will disabling machine authentication have any affect on SSO so that
>>>      a user can login to a domain computer and automatically authenticate
>>>      to the wifi (assuming the proper GPOs are in place).
>> The recent Windows versions seem to have a number of possibilities to
>> choose which account, user or computer, does the wifi authentiation.
>> However, I have not looked more closely how these settings work with
>> group policies. It would be interesting to hear how it works, so please
>> let us know if you decide to test it.
>>
>>> Here's my configuration:
>> Remove DupInterval 0 if you have it with real RADIUS clients. It should
>> only be used for local loopback testing and it's not usually necessary
>> there either.
>>
>> Thanks,
>> Heikki
>>
>>> ##########                      ##########
>>> #####   Radiator Configuration       #####
>>> #########                       ##########
>>>
>>> ##      Updated 03/26/14 mbr
>>> ##      Note this file is derived from pre-testing version provided by
>>> <mrodrigues
>>>
>>> #This handler catches all "Accounting-Request" packets.
>>> #We only log Start and Stop accounting packets as Alive
>>> #packets are basically useless for our purposes. If you
>>> #would like to grab these packets, delete the "HandleAcctStatusTypes"
>>> #directive below, or edit as obviously necessary.
>>>
>>> #<Handler Request-Type=Accounting-Request>
>>>
>>> #<AuthBy SQL>
>>> #        DBSource        dbi:mysql:radius:127.0.0.1:3306
>>> #        DBUsername      radius
>>> #        DBAuth  xxx
>>> #HandleAcctStatusTypes Start,Stop
>>> # This statement inserts the accounting information into the SQL databasee.
>>>
>>> #AcctSQLStatement insert into ggse_public
>>> values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL);
>>>
>>> # This will log messages from within the SQL insert statement
>>>
>>> #<Log FILE>
>>> #Filename debug.config
>>> #</Log>
>>>
>>> #</AuthBy>
>>>
>>> #</Handler>
>>>
>>> #below was added on 2/4/13 to catch ALL iterations of logins that are
>>> BlackListed.
>>> RewriteUsername         tr/A-Z/a-z/
>>>
>>> #These are the IPs from which calls to the RADIUS server are allowed.
>>>
>>> <Client 10.99.1.250>
>>>          Secret testing123
>>>          DupInterval 0
>>> </Client>
>>>
>>> <Handler>
>>> #This is only tentative and hasn't been tested. This keeps people from
>>> circumventing the logs by making their outer identity anonymous. This
>>> script copies the inner identity to the outer identity; you can't
>>> authenticate without the correct inner identity.
>>> PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
>>>
>>> <AuthBy GROUP>
>>>
>>>      AuthByPolicy ContinueWhileAccept
>>>        
>>>       # Make sure MAC address is not blacklisted..
>>>          <AuthBy FILE>
>>>                  NoEAP
>>>                  # Calling-Station-Id attribute is the user's MAC in this
>>> case.
>>>                  AuthenticateAttribute Calling-Station-Id
>>>                  AcceptIfMissing
>>>                  Filename /etc/radiator/MacAddrBlacklist.txt
>>>          </AuthBy>
>>>
>>>          # Make sure USERNAME is not blacklisted..
>>>          <AuthBy FILE>
>>>                  NoEAP
>>>                  AcceptIfMissing
>>>                  Filename /etc/radiator/UsernameBlacklist.txt
>>>          </AuthBy>
>>>     
>>>          <AuthBy NTLM>
>>>          Domain         AD
>>>          EAPType        PEAP, TTLS, MSCHAP-V2
>>>          EAPTLS_CAFile     /etc/radiator/certs/demoCA/cacert.pem
>>>          EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
>>>          EAPTLS_CertificateType PEM
>>>          EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
>>>          EAPTLS_PrivateKeyPassword whatever
>>>          AutoMPPEKeys
>>>      </AuthBy>
>>> </AuthBy>
>>> </Handler>
>>> #PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
>>>
>>> #This logs to /var/log/radius/logfile
>>> #Not really necessary, we have SQL logs.
>>> <Log FILE>
>>> Filename logfile
>>> </Log>
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Michael
>>>
>>> -- 
>>> Michael Rodrigues
>>> Technical Support Services Manager
>>> Gevirtz Graduate School of Education
>>> Education Building 4203
>>> (805) 893-8031
>>> help at education.ucsb.edu
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list