[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

Michael Rodrigues mrodrigues at education.ucsb.edu
Wed Mar 26 12:33:58 CDT 2014 

Hi all,

I've been using RADIATOR for 4 or 5 years using EAP-TTLS PAP against an 
LDAP database. We now have an Active Directory that is synced with LDAP, 
so all users and their passwords are now in AD. With the LDAP database, 
we had to configure every client manually (these are student computers 
we don't own) for wireless to work. This could sometimes take 20-30 
minutes with Apple clients and involved installing SecureW2 on Windows.

My goal now is to transition to using AuthBy NTLM with PEAP, TTLS, and 
MSCHAP-V2  in place of AuthBy LDAP2 so users can just type their 
username and password when prompted, while maintaining backwards 
compatibility with the EAP-TTLS PAP machines that were already 
configured. The config I have does do this, but it also allows domain 
computers to authenticate as computers; I don't want this. So it comes 
down to a few questions:

 1. How do I allow only directory users to authenticate, while
    preventing machine accounts from being authenticated?
 2. Will the eap_acct_username.pl prevent users from showing up as
    'anonymous' in my accounting requests for all allowed types of auth?
    (PEAP, TTLS, MSCHAP-V2)
 3. Will disabling machine authentication have any affect on SSO so that
    a user can login to a domain computer and automatically authenticate
    to the wifi (assuming the proper GPOs are in place).

Here's my configuration:

##########                      ##########
#####   Radiator Configuration       #####
#########                       ##########

##      Updated 03/26/14 mbr
##      Note this file is derived from pre-testing version provided by 
<mrodrigues

#This handler catches all "Accounting-Request" packets.
#We only log Start and Stop accounting packets as Alive
#packets are basically useless for our purposes. If you
#would like to grab these packets, delete the "HandleAcctStatusTypes"
#directive below, or edit as obviously necessary.

#<Handler Request-Type=Accounting-Request>

#<AuthBy SQL>
#        DBSource        dbi:mysql:radius:127.0.0.1:3306
#        DBUsername      radius
#        DBAuth  xxx
#HandleAcctStatusTypes Start,Stop
# This statement inserts the accounting information into the SQL databasee.

#AcctSQLStatement insert into ggse_public 
values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL);

# This will log messages from within the SQL insert statement

#<Log FILE>
#Filename debug.config
#</Log>

#</AuthBy>

#</Handler>

#below was added on 2/4/13 to catch ALL iterations of logins that are 
BlackListed.
RewriteUsername         tr/A-Z/a-z/

#These are the IPs from which calls to the RADIUS server are allowed.

<Client 10.99.1.250>
         Secret testing123
         DupInterval 0
</Client>

<Handler>
#This is only tentative and hasn't been tested. This keeps people from 
circumventing the logs by making their outer identity anonymous. This 
script copies the inner identity to the outer identity; you can't 
authenticate without the correct inner identity.
PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"

<AuthBy GROUP>

     AuthByPolicy ContinueWhileAccept

      # Make sure MAC address is not blacklisted..
         <AuthBy FILE>
                 NoEAP
                 # Calling-Station-Id attribute is the user's MAC in 
this case.
                 AuthenticateAttribute Calling-Station-Id
                 AcceptIfMissing
                 Filename /etc/radiator/MacAddrBlacklist.txt
         </AuthBy>

         # Make sure USERNAME is not blacklisted..
         <AuthBy FILE>
                 NoEAP
                 AcceptIfMissing
                 Filename /etc/radiator/UsernameBlacklist.txt
         </AuthBy>

         <AuthBy NTLM>
         Domain         AD
         EAPType        PEAP, TTLS, MSCHAP-V2
         EAPTLS_CAFile     /etc/radiator/certs/demoCA/cacert.pem
         EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
         EAPTLS_CertificateType PEM
         EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
         EAPTLS_PrivateKeyPassword whatever
         AutoMPPEKeys
     </AuthBy>
</AuthBy>
</Handler>
#PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"

#This logs to /var/log/radius/logfile
#Not really necessary, we have SQL logs.
<Log FILE>
Filename logfile
</Log>




Thanks,
Michael

-- 
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
help at education.ucsb.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140326/066336b5/attachment-0001.html

More information about the radiator mailing list