[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

Michael Rodrigues mrodrigues at education.ucsb.edu
Fri Apr 18 11:31:03 CDT 2014 

On 4/9/2014 8:01 AM, Heikki Vatiainen wrote:
> On 04/08/2014 11:36 PM, Michael Rodrigues wrote:
>
>> When untarring the patches tarball patches-4.12.1-20140407.tar.gz in the
>> Radiator directory and testing the build, test "1d" fails to pass. Am I
>> applying the patches correctly? I read that there was information on the
>> site where the patches are downloaded, but I don't have direct access to
>> it as a colleague maintains the account.
> Thanks for letting us know about this. The patches do not have the
> recently updated test.pl. Test 1d does a Status-Server request against
> Radiator and it now fails because it does not add Message-Authenticator
> in the request. This requirement was just recently added in Radiator.
> Status-Server requests with a correct Message-Authenticator will be
> ignored from now on.
>
> Updated test.pl was going to be in the next release, but it was
> unfortunately not tagged to be in the patch set meanwhile. It will be in
> the next patch set.
>
>> I'm using:
>> Ubuntu 12.04
> Please make sure the system is updated with the latest OpenSSL patch for
> the Heartbleed vulnerability.
Thanks for the heads up on this, I have since updated.

>
>> I also need to rewrite the outer identity before my AuthBy FILE sections
>> that check that the user is not on the blacklist. As configured, it will
>> check their anonymous ID against the blacklist, which does me no good.
I tried adding an AuthBy INTERNAL to the outer handler, using the perl 
snippet you had suggested with RequestHook. I get a hook error whenever 
it is called. I'm not a perl guru but I tried changing "${$_[1]}" to 
just "$_[1]" and got rid of the SCALAR error, but I was still getting a 
"Hook error" with no specific information.

Code:       Access-Request
Identifier: 155
Authentic: <130>hZ<30><145><187>;<199><159><164>C<211><240>sT5
Attributes:
         User-Name = "anonymous-username"
         NAS-IP-Address = 10.99.1.250
         NAS-Port = 86
          EAP-Message = <2><0><0><13><1>anonymous-username
         Message-Authenticator = 
<144><11><139>5<132>u~@<7><150>m<155>q5{<221>

Fri Apr 18 09:22:30 2014: DEBUG: Handling request with Handler '', 
Identifier ''
Fri Apr 18 09:22:30 2014: DEBUG:  Deleting session for 
anonymous-username, 10.99.1.250, 86
Fri Apr 18 09:22:30 2014: DEBUG: Handling with Radius::AuthGROUP:
Fri Apr 18 09:22:30 2014: DEBUG: Handling with AuthINTERNAL:
Fri Apr 18 09:22:30 2014: ERR: Error in RequestHook(): Not a SCALAR 
reference at (eval 40) line 1.

Fri Apr 18 09:22:30 2014: DEBUG: Radius::AuthGROUP:  result: IGNORE, 
Hook error
Fri Apr 18 09:22:30 2014: DEBUG: AuthBy GROUP result: IGNORE, Hook error

> For that you might consider an AuthBy INTERNAL that is evaluated before
> the blacklists. This AuthBy has RequestHook that you can use to modify
> the request before it is passed to the blacklist AuthBys.
>
> Thanks,
> Heikki
>
Here's the updated config:

<Client 10.99.1.250>
         Secret testing123
</Client>

<Handler User-Name=/^host\//>
   # AuthBy INTERNAL will reject here
   # This catches computers trying to auth
</Handler>

<Handler TunnelledByPEAP=1>
         <AuthBy NTLM>
                         NtlmAuthProg    /usr/bin/ntlm_auth 
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
                         Domain          AD
                         EAPType         MSCHAP-V2
                         AutoMPPEKeys
         </AuthBy>
</Handler>

<Handler TunnelledByTTLS=1>
         <AuthBy NTLM>
                         NtlmAuthProg    /usr/bin/ntlm_auth 
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
                         Domain          AD
                         AutoMPPEKeys
         </AuthBy>
</Handler>

<Handler>
         <AuthBy GROUP>

                 AuthByPolicy ContinueWhileAccept

                 <AuthBy INTERNAL>
                         RequestHook sub { my $rp = ${$_[1]}; 
$rp->changeUserName($rp->{inner_identity}); }
                         DefaultResult   ACCEPT
                 </AuthBy>

                  # Make sure MAC address is not blacklisted..
                 <AuthBy FILE>
                         NoEAP
                         # Calling-Station-Id attribute is the user's 
MAC in this case.
                         AuthenticateAttribute Calling-Station-Id
                         AcceptIfMissing
                         Filename /etc/radiator/MacAddrBlacklist.txt
                 </AuthBy>

                 # Make sure USERNAME is not blacklisted..
                 <AuthBy FILE>
                         NoEAP
                         AcceptIfMissing
                         Filename /etc/radiator/UsernameBlacklist.txt
                 </AuthBy>

                 <AuthBy NTLM>
                         NtlmAuthProg    /usr/bin/ntlm_auth 
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
                         Domain          AD
                         EAPType         PEAP, TTLS, MSCHAP-V2
                         EAPTLS_CAFile 
/etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
                         EAPTLS_CertificateFile 
/etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
                         EAPTLS_CertificateType PEM
                         EAPTLS_PrivateKeyFile 
/etc/radiator/certs/cert-srv.pem
                         EAPTLS_PrivateKeyFile 
/etc/radiator/certs/radiatordev.key
                         AutoMPPEKeys
                 </AuthBy>
         </AuthBy>
</Handler>




-- 
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
help at education.ucsb.edu

More information about the radiator mailing list