[RADIATOR] PEAP and realm check

Klara Mall klara.mall at kit.edu
Tue Aug 19 16:06:18 CDT 2014


Hi,

On Tue, Aug 19, 2014 at 02:39:02PM -0600, Roberto Pantoja wrote:
> you can do something similar to this:
> 
> <Handler TunnelledByPEAP=1>
>         AuthByPolicy ContinueUntilAcceptOrChallenge
> 
>         # ActiveDirectory Group 1
>         <AuthBy NTLM>
>                 Identifier Group1-PEAP
>                 NtlmAuthProg /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server-1 --require-membership-of=KIT/Group1
>                 Domain KIT
>                 DefaultDomain KIT
>                 EAPType MSCHAP-V2
>                 ## Specific configuration for this group
>         </AuthBy>  
> 
>         # ActiveDirectory Group 2
>         <AuthBy NTLM>
>                 Identifier Group2-PEAP
>                 NtlmAuthProg /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server-1 --require-membership-of=KIT/Group2
>                 Domain KIT
>                 DefaultDomain KIT
>                 EAPType MSCHAP-V2
>                 ## Specific configuration for this group
>         </AuthBy>
> </Handler>
> 
> <Handler>
>         AuthByPolicy ContinueUntilAcceptOrChallenge
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP
>                 EAPTLS_CAFile %D/certificates/cacert.pem
>                 EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
>                 EAPTLS_CertificateType PEM 
>                 EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
>                 EAPTLS_PrivateKeyPassword scdm2k13
>                 EAPTLS_MaxFragmentSize 1024
>                 EAPTLS_PEAPVersion 0
>                 EAPTLS_PEAPBrokenV1Lablel
>                 AutoMPPEKeys
>         </AuthBy>
> </Handler>

Thanks for your suggestion. First: the number of groups won't be
limited, so worst-case their will be far too many useless
authentications. By the way anyway if the given user password is
wrong.

But much more important: Each group correlates with a vlan. The
realm which the user puts behind his user name indicates in which
vlan he wants to be put after authentication. You have to know: it
is not unusual that he is a member of more than one of these groups so
he is forced to indicate the vlan which he wishes to use. By a group
membership check with the correlating group it is checked if he is
allowed to use this vlan. Moreover in every handler there are reply
attributes that tell the controller in which vlan the user wants to
be put. So your approach won't have the desired result: If the user
is member of group 1, he will always be put in vlan 1 regardless of
what vlan he wanted to use.

Kind regards
Klara


More information about the radiator mailing list