[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

Heikki Vatiainen hvn at open.com.au
Wed Mar 26 16:35:09 CDT 2014 

On 03/26/2014 07:33 PM, Michael Rodrigues wrote:

>  1. How do I allow only directory users to authenticate, while
>     preventing machine accounts from being authenticated?

Use a Handler to catch these:

<Handler User-Name=/^host\//>
   # AuthBy INTERNAL with reject here
</Handler>

should do the trick. I would also consider using a separate Handler for
inner and outer requests. See goodies/eap_peap.cfg for an example.

>  2. Will the eap_acct_username.pl prevent users from showing up as
>     'anonymous' in my accounting requests for all allowed types of auth?
>     (PEAP, TTLS, MSCHAP-V2)

This hook seems to return User-Name with Access-Accept to tell the NAS
to use this username for the subsequent Accounting-Requests. I'd
consider using a Hook, maybe PostAuthHook, in the inner Handler to write
the real username in the outer requests EAP context. When the final
Access-Accept is returned to the client, a PostAuthHook in the outer
Handler can set the User-Name. This could be done after the
authentication works otherwise.

>  3. Will disabling machine authentication have any affect on SSO so that
>     a user can login to a domain computer and automatically authenticate
>     to the wifi (assuming the proper GPOs are in place).

The recent Windows versions seem to have a number of possibilities to
choose which account, user or computer, does the wifi authentiation.
However, I have not looked more closely how these settings work with
group policies. It would be interesting to hear how it works, so please
let us know if you decide to test it.

> Here's my configuration:

Remove DupInterval 0 if you have it with real RADIUS clients. It should
only be used for local loopback testing and it's not usually necessary
there either.

Thanks,
Heikki

> ##########                      ##########
> #####   Radiator Configuration       #####
> #########                       ##########
> 
> ##      Updated 03/26/14 mbr
> ##      Note this file is derived from pre-testing version provided by
> <mrodrigues
> 
> #This handler catches all "Accounting-Request" packets.
> #We only log Start and Stop accounting packets as Alive
> #packets are basically useless for our purposes. If you
> #would like to grab these packets, delete the "HandleAcctStatusTypes"
> #directive below, or edit as obviously necessary.
> 
> #<Handler Request-Type=Accounting-Request>
> 
> #<AuthBy SQL>
> #        DBSource        dbi:mysql:radius:127.0.0.1:3306
> #        DBUsername      radius
> #        DBAuth  xxx
> #HandleAcctStatusTypes Start,Stop
> # This statement inserts the accounting information into the SQL databasee.
> 
> #AcctSQLStatement insert into ggse_public
> values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL);
> 
> # This will log messages from within the SQL insert statement
> 
> #<Log FILE>
> #Filename debug.config
> #</Log>
> 
> #</AuthBy>
> 
> #</Handler>
> 
> #below was added on 2/4/13 to catch ALL iterations of logins that are
> BlackListed.
> RewriteUsername         tr/A-Z/a-z/
> 
> #These are the IPs from which calls to the RADIUS server are allowed.
> 
> <Client 10.99.1.250>
>         Secret testing123
>         DupInterval 0
> </Client>
> 
> <Handler>
> #This is only tentative and hasn't been tested. This keeps people from
> circumventing the logs by making their outer identity anonymous. This
> script copies the inner identity to the outer identity; you can't
> authenticate without the correct inner identity.
> PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
> 
> <AuthBy GROUP>
> 
>     AuthByPolicy ContinueWhileAccept
>       
>      # Make sure MAC address is not blacklisted..
>         <AuthBy FILE>
>                 NoEAP
>                 # Calling-Station-Id attribute is the user's MAC in this
> case.
>                 AuthenticateAttribute Calling-Station-Id
>                 AcceptIfMissing
>                 Filename /etc/radiator/MacAddrBlacklist.txt
>         </AuthBy>
> 
>         # Make sure USERNAME is not blacklisted..
>         <AuthBy FILE>
>                 NoEAP
>                 AcceptIfMissing
>                 Filename /etc/radiator/UsernameBlacklist.txt
>         </AuthBy>
>    
>         <AuthBy NTLM>
>         Domain         AD
>         EAPType        PEAP, TTLS, MSCHAP-V2
>         EAPTLS_CAFile     /etc/radiator/certs/demoCA/cacert.pem
>         EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         AutoMPPEKeys
>     </AuthBy>
> </AuthBy>
> </Handler>
> #PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
> 
> #This logs to /var/log/radius/logfile
> #Not really necessary, we have SQL logs.
> <Log FILE>
> Filename logfile
> </Log>
> 
> 
> 
> 
> Thanks,
> Michael
> 
> -- 
> Michael Rodrigues
> Technical Support Services Manager
> Gevirtz Graduate School of Education
> Education Building 4203
> (805) 893-8031
> help at education.ucsb.edu
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list