[RADIATOR] PEAP and realm check
hvn at open.com.au
Tue Aug 19 16:34:36 CDT 2014
On 08/19/2014 08:50 PM, Klara Mall wrote:
> <AuthBy LDAP2>
> Identifier ldap-ad-kit-eap
> Include %D/server/KIT-DC-01
> BaseDN dc=kit,dc=edu
> Timeout 5
> UsernameAttr sAMAccountName
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/chain-kit-ca.pem
> EAPTLS_CertificateFile %D/certificates/server.pem
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_PrivateKeyFile %D/certificates/server.key
> EAPTLS_PEAPVersion 0
Try adding 'EAPAnonymous %u' here. The default value for EAPAnonymous is
'anonymous'. See below for more.
> BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the
> checked realm is the one of the inner identity which seams reasonable for me.
The first request that gets tunnelled by EAP-TTLS/PAP contains
User-Name. This is why you do not see 'anonymous' but the real inner
User-Name in the request.
> I'm also wondering where User-Name anonymous in the log comes from
> as I don't use "anonymous" as anonymous identity here.
EAPAnonymous in the outer request sets the value of User-Name attribute
in the inner request if the inner request does not have User-Name.
EAP-TTLS/PAP does have User-Name, so that's why you see what you expect.
PEAP encapsulates inner EAP messages and for these inner EAP requests
Radiator creates a message that looks like a RADIUS message. The inner
EAP message goes to EAP-Message attribute, a User-Name is created and
NAS-IP-Address, NAS-Identifier and Calling-Station-Id are copied from
the outer request so that they can be used by the inner AuthBy if needed.
If you set EAPAnonymous to %u, the inner User-Name will get its value
from the outer User-Name. %0 is special: the inner User-Name will be the
EAP Identity which is carried by the first tunnelled request.
This also means that the first tunnelled request will have empty
User-Name since the identity is not know yet. After the first request
has been processed by the inner AuthBy, then the subsequent tunnelled
requests will have User-Name with a value; the identity inner EAP uses.
> Can you help here? I need this because later I have to expand ntlm_auth with
> --require-membership-of= with a variable group name (though I had to patch
> radiator for this to work - there will be another email for this :) ).
Hopefully the above helps. With %u the users can use
anonymous at colubris-test to hide the real username (the inner identity in
PEAP/EAP-MSCHAP-V2) but will need to have the correct realm.
Note: User-Name allows you to select the correct Handler for the inner
request. The inner identity is used to for the authentication.
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
More information about the radiator