[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

[Heikki Vatiainen]

On 05/06/2014 10:22 PM, Michael Rodrigues wrote:

> I did end up putting the blacklist in the outer handler because all of 
> my attempts to grab the inner_identity within the Inner Handler for PEAP 
> would give me a blank string "". Looking at it, I'm not sure what I get 
> from having the separate Inner Handlers with the current config.

In many cases the outer Handler contains an AuthBy FILE that only
handles PEAP and TTLS outer authentication, that is, establishing the
TLS tunnel. Note that if the incoming request is not an EAP request,
this AuthBy will also try to authenticate the user. If non-EAP
authentication is not desired, this AuthBy FILE can reject the non-EAP
attempts.

In other words, having the separate inner handlers may make the
configuration clearly separating where the PEAP and TTLS inner
authentication happens and what is done to non-EAP requests.

This is not required though, and it is possible to use just one Handler
for outer and inner requests. Also, if required, a separate Handler can
be set up for non-EAP requests while a different Handler takes care of
EAP requests handling both inner and outer requests.

I think your current configuration would try to authenticate plain PAP
against NTLM if such requests are received by Radiator.

Also, EAPType in the outer Handler's AuthBy NTLM could be just 'PEAP,
TTLS' since 'MSCHAP-V2' is processed by the other AuthBys in the
Handlers for tunnelled PEAP and TTLS.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.