[RADIATOR] Extracting certificates info for EAP PEAP,TTLS,TLS

Christian Kratzer ck-lists at cksoft.de
Tue Feb 24 06:43:12 CST 2015 

Hi Sami,

On Tue, 24 Feb 2015, Sami Keski-Kasari wrote:

> Hello Christian,
>
> MSCHAPv2 is mutual authentication protocol where client requires
> response from server. If the server doesn't send correct response client
> will terminate connection.
> So server can not just decide to accept authentication like in PAP case.
> I think that it is not possible to build walled garden solution with
> that protocol.

Thanks.  That makes sense.  I forgot about the mutality in CHAP.

Greetings
Christian

> If you use for example PEAP/GTC or EAP-TTLS/PAP you can use AuthBy GROUP
> to group sequences and use different policy inside them.
>
> for example like this:
>
> <Handler TunnelledByPEAP=1>
>         Identifier TunnelledByPEAP=1
>         AuthByPolicy ContinueWhileAccept
> 	 <AuthBy GROUP>
>             AuthByPolicy ContinueWhileReject
>             AuthBy SQLauthenticate
> 	     <AuthBy INTERNAL>
> 		AuthHook sub {my $p = $_[0];\
>                       $p->add_attr('X-OSC-Auth-Status', 'Rejected');\
>                       return $main::ACCEPT}
>             </AuthBy>
>         </AuthBy>
>         AuthBy INTERNALextractFunnyStuffFromRequest
>         AuthBy SQLauthorize
> </Handler>
>
> In this example the inner AuthBy INTERNAL will change reject to accept
> and mark it with vendor specific attribute that you can use in later
> INTERNAL to determine if authentication was successful or not.
>
> Best Regards,
> Sami
>
> On 02/24/2015 01:12 PM, Christian Kratzer wrote:
>> Hi Sami,
>>
>> We made progress with our setup thanks to your previous tips.
>>
>> We now have following setup simplyfied a bit:
>>
>>     <Handler TunnelledByPEAP=1>
>>         Identifier TunnelledByPEAP=1
>>         AuthByPolicy ContinueWhileAccept
>>         AuthBy SQLauthenticate
>>         AuthBy INTERNALextractFunnyStuffFromRequest
>>         AuthBy SQLauthorize
>>     </Handler>
>>
>>     <Handler>
>>         Identifier Outer
>>         AuthBy FILE
>>     </Handler>
>>
>> the issue we are currently chasing is that the customer also wants
>> failed authentications to proceed into SQLauthorize so he can possible
>> put people into a walled garden with specific reply attributes.
>>
>> The issue seems to be that when MS-CHAP2 fails in TunneledByPeap it
>> seems to kill the EAP session and authentication terminates.
>>
>> Subsequent packets are not forwarded to the tunneled handler by the
>> outer handler.
>>
>> Do you have a suggestion how to accomplish authorization after failed
>> chap authentication.
>>
>> Terveisin
>> Christian
>>
>
>
>

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list