[RADIATOR] PEAP and realm check

Heikki Vatiainen hvn at open.com.au
Wed Aug 20 13:27:30 CDT 2014


On 08/20/2014 01:55 AM, Klara Mall wrote:

> I think I prefer %0 to %u because then it would be identical to
> TTLS/PAP.

The difference is with the first tunnelled request which will have empty
User-Name. You could consider this:

<Handler TunnelledByPEAP=1, Realm=a.kit.edu>
...
</Handler>
<Handler TunnelledByPEAP=1, Realm=b.kit.edu>
...
</Handler>
<Handler TunnelledByPEAP=1>
   <AuthBy FILE>
      Filename /dev/null
   </AuthBy>
</Handler>

The above will handle all PEAP tunnelled requests that have known realms
and ground the requests with unknown realms. It will also catch the
first tunnelled request with empty User-Name, but since it will only
establish the inner EAP identity and launch EAP-MSCHAP-V2, it will not
cause an authentication failure. The subsequent requests will have
User-Name based on the inner EAP identity and different Handler is chosen.

If you look at the logs, the first inner request likely hits the outer
Handler which works too, but the above will make clear that all inner
requests will be handled by Handlers with TunnelledByPEAP.

> I.e. I can write in the user guide: "please make sure that
> your inner identity contains the vlan realm." As far as I understand
> the anonymous identity is without effect then (they can use
> anonymous or anymous at colubris-test or ...). Hope I got that right.
> My tests look like that anyway.

Correct. With EAPAnonymous %0, the inner User-Name is never the
User-Name from the incoming RADIUS request (the outer PEAP does have
identity too, but it is normally the same as User-Name unless User-Name
attribute has been rewritten).

The purpose of anonymous identity is only to get the request to the
correct authentication server within the campus or across eduroam, etc.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list