[RADIATOR] PEAP and realm check

Heikki Vatiainen hvn at open.com.au
Tue Aug 19 16:34:36 CDT 2014 

On 08/19/2014 08:50 PM, Klara Mall wrote:

> <AuthBy LDAP2>
>         Identifier ldap-ad-kit-eap
>         Include %D/server/KIT-DC-01
>         BaseDN          dc=kit,dc=edu
>         Timeout 5
>         ServerChecksPassword
>         UsernameAttr sAMAccountName
>         PasswordAttr
> 
>         EAPType PEAP
>         EAPTLS_CAFile %D/certificates/chain-kit-ca.pem
>         EAPTLS_CertificateFile %D/certificates/server.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_MaxFragmentSize 1000
>         EAPTLS_PrivateKeyFile %D/certificates/server.key
>         EAPTLS_PEAPVersion 0
>         EAPTLS_PEAPBrokenV1Label
>         AutoMPPEKeys

Try adding 'EAPAnonymous %u' here. The default value for EAPAnonymous is
'anonymous'. See below for more.

> </AuthBy>

> BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the
> checked realm is the one of the inner identity which seams reasonable for me.

The first request that gets tunnelled by EAP-TTLS/PAP contains
User-Name. This is why you do not see 'anonymous' but the real inner
User-Name in the request.

> I'm also wondering where User-Name anonymous in the log comes from
> as I don't use "anonymous" as anonymous identity here. 

EAPAnonymous in the outer request sets the value of User-Name attribute
in the inner request if the inner request does not have User-Name.
EAP-TTLS/PAP does have User-Name, so that's why you see what you expect.

PEAP encapsulates inner EAP messages and for these inner EAP requests
Radiator creates a message that looks like a RADIUS message. The inner
EAP message goes to EAP-Message attribute, a User-Name is created and
NAS-IP-Address, NAS-Identifier and Calling-Station-Id are copied from
the outer request so that they can be used by the inner AuthBy if needed.

If you set EAPAnonymous to %u, the inner User-Name will get its value
from the outer User-Name. %0 is special: the inner User-Name will be the
EAP Identity which is carried by the first tunnelled request.

This also means that the first tunnelled request will have empty
User-Name since the identity is not know yet. After the first request
has been processed by the inner AuthBy, then the subsequent tunnelled
requests will have User-Name with a value; the identity inner EAP uses.

> Can you help here? I need this because later I have to expand ntlm_auth with
> --require-membership-of= with a variable group name (though I had to patch
> radiator for this to work - there will be another email for this :) ).

Hopefully the above helps. With %u the users can use
anonymous at colubris-test to hide the real username (the inner identity in
PEAP/EAP-MSCHAP-V2) but will need to have the correct realm.

Note: User-Name allows you to select the correct Handler for the inner
request. The inner identity is used to for the authentication.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list