[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
Heikki Vatiainen
hvn at open.com.au
Tue Apr 22 05:03:40 CDT 2014
On 04/21/2014 11:15 PM, Michael Rodrigues wrote:
> So if I have three AuthBys in the outer Handler (INTERNAL first for
> renaming, then two FILEs for checking MAC address and Username) am I
> correct in assuming that the two AuthBy FILEs will be operating on the
> request as altered by the initial AuthBy INTERNAL?
Yes, that is correct. Any modifications to request or reply objects are
visible for the subsequent AuthBys.
> I made the suggested modification to the hook and it appears to execute,
> however, it seems to be replacing the username with a blank string ("")
> during Access-Challeng, and the subsequent AuthBy FILE sections are
> still using the "anonymous outer identity" when checking against the
> blacklist files I have.
Looking at the configuration you sent previously, I'd say the real inner
identity is available once the inner authentication has completed the
EAP Identity exchange. That is, there are a number of requests and
responses to get the TLS tunnel working, after that the real identity is
sent by the peer over the TLS tunnel. When that has happened, you should
see the real identity.
It might also be worth considering doing the blacklisting with the inner
Handler. If you use the outer Handler, it will eventually see the inner
identity, but with the inner Handler, it will not need to query the
blacklists for all requests, just the inner requests.
You might want to search for 'Tunnelled' to see what the inner requests
look like and if they would be more useful for implementing blacklisting
based on usernames (EAP inner identity). MAC address based blacklisting
could be in the outer Handler since the MAC is not included in the inner
auth information.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list