[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

[Heikki Vatiainen]

On 04/08/2014 11:36 PM, Michael Rodrigues wrote:

> When untarring the patches tarball patches-4.12.1-20140407.tar.gz in the 
> Radiator directory and testing the build, test "1d" fails to pass. Am I 
> applying the patches correctly? I read that there was information on the 
> site where the patches are downloaded, but I don't have direct access to 
> it as a colleague maintains the account.

Thanks for letting us know about this. The patches do not have the
recently updated test.pl. Test 1d does a Status-Server request against
Radiator and it now fails because it does not add Message-Authenticator
in the request. This requirement was just recently added in Radiator.
Status-Server requests with a correct Message-Authenticator will be
ignored from now on.

Updated test.pl was going to be in the next release, but it was
unfortunately not tagged to be in the patch set meanwhile. It will be in
the next patch set.

> I'm using:

> Ubuntu 12.04

Please make sure the system is updated with the latest OpenSSL patch for
the Heartbleed vulnerability.

> I also need to rewrite the outer identity before my AuthBy FILE sections 
> that check that the user is not on the blacklist. As configured, it will 
> check their anonymous ID against the blacklist, which does me no good.

For that you might consider an AuthBy INTERNAL that is evaluated before
the blacklists. This AuthBy has RequestHook that you can use to modify
the request before it is passed to the blacklist AuthBys.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.