[RADIATOR] multiple EAP-TLS AuthBys

Hartmaier Alexander alexander.hartmaier at t-systems.at
Mon Feb 3 10:46:06 CST 2014


Hi Heikki,

On 2014-02-03 17:10, Heikki Vatiainen wrote:
> On 01/31/2014 02:23 PM, Hartmaier Alexander wrote:
>
>> I'm trying to get a wired and wireless 802.1x config working where in
>> one building shared Cisco IOS switches and Cisco WLAN controllers are
>> used for multiple companies, each with its own CA.
>> My handler config is below and as you can see the EAPTLS settings share
>> the same radius server certificate but only differ in the CA cert used
>> to validate the clients cert.
> If the clients have different certs from different CAs, you should be
> able to use EAPTLS_CAPath instead of EAPTLS_CAFile.
>
> Note that the certificate file names have special requirements. See
>  https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
>
> and look for the c_rehash utility.
I'm already using that for one of the AuthBy's because the certs come
from an old and a new CA.
>
>> The level 4 trace showed that the first AuthBy responds with a challenge
>> which didn't match the ContinueUntilAccept AuthByPolicy so the second
>> AuthBy was triggered which failed as well.
>>
>> I've changed the AuthByPolicy to ContinueUntilAcceptOrChallenge but now
>> always the first AuthBy is checked until the client gives up authenticating.
> I'd say CAPath is better idea than trying to match client CAs with
> individual AuthBys unless there is a way to differentiate between clients.
>
> Is there anything in the requests client generate that could help with
> choosing the correct Handler?
Sadly not because the requirement is to have a single SSID for all
companies, the same goes for wired 802.1x where the same switch port
should be put into a specific VLAN per company.
>
>> Another possibility would be a single AuthBy with all CA certs but how
>> would I differentiate which one matched to send different
>> Tunnel-Private-Group-ID values back?
> You might be able to use EAPTLS_CertificateVerifyHook to check which CA
> matched. However, I have not checked in detail if this is possible. I
> would first see if the requests have any information that could help
> with Handler selection.
I already wrote a handler but the weird things are:
- $matchedcn is undefined. Is this because I'm doing AuthBy FILE with
AcceptIfMissing or because of EAPTLS_NoCheckId?
- I don't have access to the reply packed in the hook which makes
assigning a different value to the Tunnel-Private-Group-ID attribute
more complicated than necessary.

>
> Thanks,
> Heikki
>
Cheers, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*


More information about the radiator mailing list