[RADIATOR] Simple Question Regarding Realm Handling

Ullfig, Roberto Alfredo rullfig at uic.edu
Fri Jan 7 14:48:41 UTC 2022 

Why would we need to do any rejections in TunnelledByPEAP=1? We have this in there:

        <AuthBy FILE>
                EAPType MSCHAP-V2
                EAP_PEAP_MSCHAP_Convert 1
        </AuthBy>

So we need two Handler ConvertedFromEAPMSCHAPV2=1 then. One to handle uic.edu and empty realms (with a very fancy regexp) and then one to handle the rejection of other domains.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Sent: Friday, January 7, 2022 7:29 AM
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Simple Question Regarding Realm Handling

On 6.1.2022 17.37, Ullfig, Roberto Alfredo wrote:

> We are now using UsernameMatchesWithoutRealm whereas before we required
> the domain not be included.
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
> ...
>          <AuthBy NTLM>
>                  UsernameMatchesWithoutRealm
>                  DefaultDomain AD
>          </AuthBy>
>
> But I believe this will strip remote domains as well - so someone could
> enter a remote domain and it would still work (as long as they have an
> account locally of course).

Yes, I think that would happen. It would look odd in the logs, but would
require a valid local account for which the user knows the credentials,
as you wrote.

> Would adding a new handler above like the
> following fix this?
>
> <Handler ConvertedFromEAPMSCHAPV2=1 Realm=/^(?:.+\.)*uic\.edu$/i>

Syntax: Add a comma and a minor regexp update to match absolute line end:

<Handler ConvertedFromEAPMSCHAPV2=1, Realm=/^(?:.+\.)*uic\.edu\z/i>

> ...
>          <AuthBy NTLM>
>                  UsernameMatchesWithoutRealm
>                  DefaultDomain AD
>          </AuthBy>
>
> We want to allow both username and username at uic.edu - but not accept
> something like username at usa.gov.

I'd say the regexp wouldn't match realmless username, but something like
this should do it. See and try with the tester below:

Simplified version (it drops ?:):   ^(|(.+\.)*uic\.edu)\z

#!/usr/bin/env perl
use strict;
use warnings;

# match empty, 'something.uic.edu' and 'uic.edu'
print "match\n" if ($ARGV[0] =~ m/^(?:|(?:.+\.)*uic\.edu)\z/i);



I strongly recommended following the realms with this additional Handler
that grounds the rest of the converted requests:

<Handler ConvertedConvertedFromEAPMSCHAPV2=1>
     <AuthBy INTERNAL>
         DefaultResult REJECT
     </Handler>
</Handler>

This makes sure that realms such as 'example.com' get processed and
rejected.



Related to this: If there are also multiple <Handler TunnelledByPEAP=1,
...> instances, in this case there should be similar catch-all handler:

<Handler TunnelledByPEAP=1>
     <AuthBy FILE>
         EAPType ...
         Filename /dev/null
     </AuthBy>
<Handler>

This makes sure that EAP gets started when username and realm is not
known yet (the first EAP message) but it will never allows
authenticating PEAP tunnelled requests the other Handlers haven't matched.


To summarise how handle all converted and tunnelled requests:


<Handler ConvertedFromEAPMSCHAPV2=1, Realm=something>
     # Authenticate something
</Handler>

<Handler ConvertedFromEAPMSCHAPV2=1, Realm=somethingelse>
     # Authenticate somethingelse
</Handler>

# Unexpected realm: reject
<Handler ConvertedFromEAPMSCHAPV2=1>
     # No EAP here, can reject with INTERNAL
     <AuthBy INTERNAL>
         DefaultResult REJECT
     </Handler>
</Handler>



<Handler TunnelledByPEAP=1, Realm=something>
     # Authenticate something
</Handler>

<Handler TunnelledByPEAP=1, Realm=somethingelse>
     # Authenticate somethingelse
</Handler>

# Initial EAP message with no no EAP identity/username
# known yet, initiate desired inner EAP; or
# If not initial EAP message: it's an unexpected realm: reject
<Handler TunnelledByPEAP=1>
     <AuthBy FILE>
         EAPType EAP-MSCHAP-V2
         Filename /dev/null
     </Handler>
</Handler>


--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C9cfe41c790d74ed4f9d508d9d1e1c936%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637771590211444328%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DI4Dhi5RcK5sJwjn0P%2FsWiEpywSe%2BcQJA2GM7JSMR5U%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220107/2ff24c5f/attachment-0001.html>

More information about the radiator mailing list