[RADIATOR] PEAP and realm check
Klara Mall
klara.mall at kit.edu
Wed Aug 20 18:26:24 CDT 2014
Hi,
On Wed, Aug 20, 2014 at 09:27:30PM +0300, Heikki Vatiainen wrote:
> On 08/20/2014 01:55 AM, Klara Mall wrote:
>
> > I think I prefer %0 to %u because then it would be identical to
> > TTLS/PAP.
>
> The difference is with the first tunnelled request which will have empty
> User-Name. You could consider this:
>
> <Handler TunnelledByPEAP=1, Realm=a.kit.edu>
> ...
> </Handler>
> <Handler TunnelledByPEAP=1, Realm=b.kit.edu>
> ...
> </Handler>
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> Filename /dev/null
> </AuthBy>
> </Handler>
>
> The above will handle all PEAP tunnelled requests that have known realms
> and ground the requests with unknown realms. It will also catch the > first tunnelled request with empty User-Name, but since it will only
> establish the inner EAP identity and launch EAP-MSCHAP-V2, it will not
> cause an authentication failure. The subsequent requests will have
> User-Name based on the inner EAP identity and different Handler is chosen.
>
> If you look at the logs, the first inner request likely hits the outer
> Handler which works too, but the above will make clear that all inner
> requests will be handled by Handlers with TunnelledByPEAP.
Thanks, I understand. This seems to be a very good way to realise
it. I will try this.
> > I.e. I can write in the user guide: "please make sure that
> > your inner identity contains the vlan realm." As far as I understand
> > the anonymous identity is without effect then (they can use
> > anonymous or anymous at colubris-test or ...). Hope I got that right.
> > My tests look like that anyway.
>
> Correct. With EAPAnonymous %0, the inner User-Name is never the
> User-Name from the incoming RADIUS request (the outer PEAP does have
> identity too, but it is normally the same as User-Name unless User-Name
> attribute has been rewritten).
What do you mean with "the incoming RADIUS request"? The outer
request?
> The purpose of anonymous identity is only to get the request to the
> correct authentication server within the campus or across eduroam, etc.
Ok, so this really doesn't matter as in this context there's no
roaming involved.
Regards
Klara
More information about the radiator
mailing list