[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

Michael Rodrigues mrodrigues at education.ucsb.edu
Tue May 13 15:15:35 CDT 2014


On 5/6/14, 1:15 PM, Heikki Vatiainen wrote:
> On 05/06/2014 10:22 PM, Michael Rodrigues wrote:
>
>> I did end up putting the blacklist in the outer handler because all of
>> my attempts to grab the inner_identity within the Inner Handler for PEAP
>> would give me a blank string "". Looking at it, I'm not sure what I get
>> from having the separate Inner Handlers with the current config.
> In many cases the outer Handler contains an AuthBy FILE that only
> handles PEAP and TTLS outer authentication, that is, establishing the
> TLS tunnel. Note that if the incoming request is not an EAP request,
> this AuthBy will also try to authenticate the user. If non-EAP
> authentication is not desired, this AuthBy FILE can reject the non-EAP
> attempts.
>
>
I would like to REJECT any non-EAP in the outer handler. I've tried to 
rearrange things to have only AuthBy FILE in the outer hanlder, having 
AuthBy NTLM only in each inner handler. This would also (I think) 
require me to move my AuthBy INTERNAL to each inner handler so that it 
can get inner_identity once it is unpacked after AuthBy NTLM. After this 
I would AuthBy FILE for blacklist.

However, I can't seem to get my outer handler to drop non-EAP requests:

(There's another TunnelledByEAP handler but it's otherwise identical to 
the PEAP one)

<Handler TunnelledByPEAP=1>
         <AuthBy GROUP>
                 AuthByPolicy ContinueWhileAccept

                 <AuthBy NTLM>
                         NtlmAuthProg    /usr/bin/ntlm_auth 
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
                         Domain          AD
                         EAPType         MSCHAP-V2
                         AutoMPPEKeys
                 </AuthBy>
                 <AuthBy INTERNAL>
                         Identifier      FixUserNameForBlacklist
                         # Get inner_identity after it is exported to 
the Reply, then use it to set the Request User-Name
                         RequestHook sub { my $rq = $_[0]; my $rp = 
$_[1]; $rq->changeUserName($rp->{inner_identity}); 
&main::log($main::LOG_DEBUG, "Changed Request User-Name to 
$rp->{inner_identity} from Reply inner_identity"); return $main::ACCEPT;}
                 </AuthBy>

                 <AuthBy FILE>
                         NoEAP
                         Identifier CheckUserBlacklistPEAPInner
                         AcceptIfMissing
                         Filename /etc/radiator/UsernameBlacklist.txt
                 </AuthBy>
         </AuthBy>
</Handler>

<Handler>
         Identifier OuterHandler

                 AuthByPolicy ContinueWhileAccept

                 # Make sure MAC address is not blacklisted..
                 <AuthBy FILE>
                         NoEAP
                         Identifier CheckMacAddressBlacklist
                         # Calling-Station-Id attribute is the user's 
MAC in this case.
                         AuthenticateAttribute Calling-Station-Id
                         AcceptIfMissing
                         Filename /etc/radiator/MacAddrBlacklist.txt
                 </AuthBy>


                 <AuthBy FILE>
                         Identifier OuterTunnelAuth
                         EAPType PEAP,TTLS
                         EAPTLS_CAFile 
/etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
                         EAPTLS_CertificateFile 
/etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
                         EAPTLS_CertificateType PEM
                         EAPTLS_PrivateKeyFile 
/etc/radiator/certs/radiatordev.key
                 </AuthBy>

         # If Reply is Access-Accept, send User-Name from inner_identity 
for logging, session table.
         PostProcessingHook file:"goodies/eap_acct_username_mod.pl"
</Handler>



More information about the radiator mailing list