[RADIATOR] Extracting certificates info for EAP PEAP,TTLS,TLS

Sami Keski-Kasari samikk at open.com.au
Tue Feb 24 06:36:37 CST 2015 

Hello Christian,

MSCHAPv2 is mutual authentication protocol where client requires
response from server. If the server doesn't send correct response client
will terminate connection.
So server can not just decide to accept authentication like in PAP case.
I think that it is not possible to build walled garden solution with
that protocol.

If you use for example PEAP/GTC or EAP-TTLS/PAP you can use AuthBy GROUP
to group sequences and use different policy inside them.

for example like this:

<Handler TunnelledByPEAP=1>
         Identifier TunnelledByPEAP=1
         AuthByPolicy ContinueWhileAccept
	 <AuthBy GROUP>
             AuthByPolicy ContinueWhileReject
             AuthBy SQLauthenticate
	     <AuthBy INTERNAL>
		AuthHook sub {my $p = $_[0];\
                       $p->add_attr('X-OSC-Auth-Status', 'Rejected');\
                       return $main::ACCEPT}
             </AuthBy>
         </AuthBy>
         AuthBy INTERNALextractFunnyStuffFromRequest
         AuthBy SQLauthorize
</Handler>

In this example the inner AuthBy INTERNAL will change reject to accept
and mark it with vendor specific attribute that you can use in later
INTERNAL to determine if authentication was successful or not.

Best Regards,
 Sami

On 02/24/2015 01:12 PM, Christian Kratzer wrote:
> Hi Sami,
> 
> We made progress with our setup thanks to your previous tips.
> 
> We now have following setup simplyfied a bit:
> 
>     <Handler TunnelledByPEAP=1>
>         Identifier TunnelledByPEAP=1
>         AuthByPolicy ContinueWhileAccept
>         AuthBy SQLauthenticate
>         AuthBy INTERNALextractFunnyStuffFromRequest
>         AuthBy SQLauthorize
>     </Handler>
> 
>     <Handler>
>         Identifier Outer
>         AuthBy FILE
>     </Handler>
> 
> the issue we are currently chasing is that the customer also wants
> failed authentications to proceed into SQLauthorize so he can possible
> put people into a walled garden with specific reply attributes.
> 
> The issue seems to be that when MS-CHAP2 fails in TunneledByPeap it
> seems to kill the EAP session and authentication terminates.
> 
> Subsequent packets are not forwarded to the tunneled handler by the
> outer handler.
> 
> Do you have a suggestion how to accomplish authorization after failed
> chap authentication.
> 
> Terveisin
> Christian
> 


-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list