[RADIATOR] Simple Question Regarding Realm Handling

Ullfig, Roberto Alfredo rullfig at uic.edu
Fri Jan 7 16:08:32 UTC 2022 

Wait no that won't work. I assume Realm= is looking for everything after the @ symbol so how about this?

<Handler ConvertedFromEAPMSCHAPV2=1, Realm=/^\z|^uic\.edu\z/i>
        RewriteUsername s/^([^@]+).*/$1/
        <AuthBy SUSPEND>
                Dir /mnt/global/authinfo/campus_suspend
        </AuthBy>
        <AuthBy SUSPEND>
                Dir /mnt/global/authinfo/campus_delete
        </AuthBy>
        <AuthBy WIRELESS>
                Dir /mnt/global/authinfo/wireless
        </AuthBy>
        <AuthBy NTLM>
                DefaultDomain AD
        </AuthBy>
        <AuthLog SYSLOG>
                LogSuccess 1
                LogFailure 1
                Facility local0
                SuccessFormat %T : '%U' from %N mac=%{OuterRequest:Calling-Station-Id} -- Authentication OK
                FailureFormat %T : '%U' from %N mac=%{OuterRequest:Calling-Station-Id} -- Authentication FAILED
        </AuthLog>
</Handler>

<Handler ConvertedFromEAPMSCHAPV2=1>
         <AuthBy INTERNAL>
             DefaultResult REJECT
         </Handler>
</Handler>

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Ullfig, Roberto Alfredo <rullfig at uic.edu>
Sent: Friday, January 7, 2022 9:42 AM
To: Heikki Vatiainen <hvn at open.com.au>; radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Simple Question Regarding Realm Handling

So this is the full version - but I'm not sure on what follows Realm - I need to remove the outer ()?:

<Handler ConvertedFromEAPMSCHAPV2=1, Realm=/^([^@]*|\S*\@uic\.edu)\z/i>
...
        <AuthBy NTLM>
                UsernameMatchesWithoutRealm
                DefaultDomain AD
        </AuthBy>
...
</Handler>

<Handler ConvertedFromEAPMSCHAPV2=1>
         <AuthBy INTERNAL>
             DefaultResult REJECT
         </Handler>
</Handler>

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Sent: Friday, January 7, 2022 9:22 AM
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Simple Question Regarding Realm Handling

On 7.1.2022 16.48, Ullfig, Roberto Alfredo wrote:

> Why would we need to do any rejections in TunnelledByPEAP=1? We have
> this in there:
>
>          <AuthBy FILE>
>                  EAPType MSCHAP-V2
>                  EAP_PEAP_MSCHAP_Convert 1
>          </AuthBy>
>
> So we need two Handler ConvertedFromEAPMSCHAPV2=1 then. One to handle
> uic.edu and empty realms (with a very fancy regexp) and then one to
> handle the rejection of other domains.

Thanks for the clarification. You're correct, in your case you can the
tunnelled EAP-MSCHAP-V2 requests to plain MSCHAP-V2 and then handle the
realms your are interested and reject the rest.

To clarify my previous email for future refernce: When handling
tunnelled and converted requests, always have a catch-all Handler that
makes sure that even the unexpected cases are correctly handled.

Thanks!
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C6c831cee43fe4d81a50008d9d1f19820%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637771658427939688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=yusa%2FXNWaLc%2BjfV5KSq5pTPxYQcmZ6LTO5VaFH4gr7o%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7Cf344047559ad48382d9e08d9d1f45373%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637771669575400403%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=xjLP9oD9YHwVfHl6CVGNEXzdNPNZbr6cRgbp6I7lEEE%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220107/a762f403/attachment-0001.html>

More information about the radiator mailing list