[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

Michael Rodrigues mrodrigues at education.ucsb.edu
Mon Apr 21 15:15:31 CDT 2014 

Hi Heikki,

So if I have three AuthBys in the outer Handler (INTERNAL first for 
renaming, then two FILEs for checking MAC address and Username) am I 
correct in assuming that the two AuthBy FILEs will be operating on the 
request as altered by the initial AuthBy INTERNAL?

I made the suggested modification to the hook and it appears to execute, 
however, it seems to be replacing the username with a blank string ("") 
during Access-Challeng, and the subsequent AuthBy FILE sections are 
still using the "anonymous outer identity" when checking against the 
blacklist files I have.

  I've included some sample output, the User-Name I expect to see (at 
least after GetInnerUsername runs) is "mrodrigues", but only the 
"anonymous outer identity" ( gagagagagagagagagag) is visible. I also 
never manage to get an Access-Accept, which I do get if I comment out 
the GetInnerUsername Authby.

Code:       Access-Request
Identifier: 42
Authentic: ]'<227><149><18>8)"j-<175>-<25><4><182>]
Attributes:
         User-Name = "gagagagagagagagagag"
         NAS-IP-Address = 10.99.1.250
         NAS-Port = 66
         Framed-MTU = 1400
         Called-Station-Id = "00:04:96:3a:da:eb"
         Calling-Station-Id = "78:d6:f0:97:f7:d3"
         NAS-Port-Type = Wireless-IEEE-802-11
         NAS-Identifier = "AD-Auth-Dev"
         EAP-Message = <2><0><0><24><1>gagagagagagagagagag
         Message-Authenticator = 
<220><31>A/!6^<185><203>n<224><168>(<230>l<208>

Mon Apr 21 12:56:42 2014: DEBUG: Handling request with Handler '', 
Identifier ''
Mon Apr 21 12:56:42 2014: DEBUG:  Deleting session for 
gagagagagagagagagag, 10.99.1.250, 66
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthGROUP:
Mon Apr 21 12:56:42 2014: DEBUG: Handling with AuthINTERNAL: 
GetInnerUsername
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP: GetInnerUsername 
result: ACCEPT, testing the hook
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthFILE: 
CheckMacAddressBlacklist
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE looks for match with 
78:d6:f0:97:f7:d3 [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE REJECT: No such user: 
78:d6:f0:97:f7:d3 [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP: 
CheckMacAddressBlacklist result: ACCEPT,
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthFILE: 
CheckUserBlacklist
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE looks for match with 
gagagagagagagagagag [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthFILE REJECT: No such user: 
gagagagagagagagagag [gagagagagagagagagag]
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP: CheckUserBlacklist 
result: ACCEPT,
Mon Apr 21 12:56:42 2014: DEBUG: Handling with Radius::AuthNTLM:
Mon Apr 21 12:56:42 2014: DEBUG: Handling with EAP: code 2, 0, 24, 1
Mon Apr 21 12:56:42 2014: DEBUG: Response type 1
Mon Apr 21 12:56:42 2014: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: Radius::AuthGROUP:  result: CHALLENGE, 
EAP PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: AuthBy GROUP result: CHALLENGE, EAP 
PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: Access challenged for 
gagagagagagagagagag: EAP PEAP Challenge
Mon Apr 21 12:56:42 2014: DEBUG: Packet dump:
*** Sending to 10.99.1.250 port 51888 ....

Packet length = 48
0b 2a 00 30 2a 6f 55 9b 22 ba 50 16 82 c7 f0 aa
47 92 22 b9 01 02 4f 08 01 01 00 06 19 20 50 12
bd c9 eb a2 b2 cd 56 77 df 9a 3b 5a e1 d9 e7 0b
Code:       Access-Challenge
Identifier: 42
Authentic: *oU<155>"<186>P<22><130><199><240><170>G<146>"<185>
Attributes:
         User-Name = ""
         EAP-Message = <1><1><0><6><25>
         Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


On 4/21/2014 10:25 AM, Heikki Vatiainen wrote:
> On 04/18/2014 07:31 PM, Michael Rodrigues wrote:
>
>> I tried adding an AuthBy INTERNAL to the outer handler, using the perl
>> snippet you had suggested with RequestHook. I get a hook error whenever
>> it is called. I'm not a perl guru but I tried changing "${$_[1]}" to
>> just "$_[1]" and got rid of the SCALAR error, but I was still getting a
>> "Hook error" with no specific information.
> Hello Michael,
>
> your hook needs a couple of small changes. Try this.
>
> RequestHook sub { my $rp = $_[1];
> $rp->changeUserName($rp->{inner_identity}); return $main::ACCEPT;}
>
> The hook parameter types depend on the hook. With RequestHook the Hook
> gets passed a reference, not a reference to a reference like it does for
> some Hooks. Also, you need to return a suitable return value because
> AuthBy INTERNAL checks what the hook returns.
>
> Thanks,
> Heikki
>

-- 
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
help at education.ucsb.edu

More information about the radiator mailing list