On 12/09/2011 12:15 AM, Joy Veronneau wrote: > But if I do that, I will still have to have the names of the machines in > the tls_anon file, wouldn't I?
Good point, I overlooked that part. Please see ref.pdf section "5.20.46 EAPTLS_NoCheckId". You can turn off the name check. Thanks! Heikki > Thanks, > > Joy > > On 12/8/11 5:07 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: > >> On 12/07/2011 11:42 PM, Joy Veronneau wrote: >> >> Hello Joy, >> >>> I am still working on my machine based authentication config. >>> >>> Config1 (below) works fine but requires that the names of the machines >>> be >>> listed in the file tls_anon. >> >> Try with something like this: >> <Handler ...> >> AuthByPolicy ContinueWhileAccept >> AuthBy file-tls >> AuthBy external-adcert >> </Handler> >> >> With the above EAP-TLS will run first and when it is done and returns >> ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome >> of the whole authentication process. >> >> Please let us know of your results >> >>> I need to modify this config so that I do not need to maintain a list of >>> host names on the radiator server and so that I can execute an external >>> script that formats a Filter-Id for a VLAN name to return with the >>> ACCEPT. >>> I thought this would be pretty straight forward, see config2 below. The >>> problem is that just this minor change causes the client to hang or >>> something during the negotiation. Once the accept is sent, nothing else >>> happens - we've verified this looking at the traffic on the AP. I've >>> included a debug log as well. >>> >>> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong >>> or I just can't use AuthBy EXTERNAL in combination with TLS? >>> >>> TIA, >>> Joy >>> >>> ------- >>> config1: (works if names of computers are in tis_anon file) >>> <AuthBy FILE> >>> Identifier TLS >>> Filename %D/tls_anon >>> EAPType TLS >>> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem >>> EAPTLS_CertificateFile /app/radius/keys/agate1.pem >>> EAPTLS_CertificateType PEM >>> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key >>> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem >>> EAPTLS_MaxFragmentSize 1000 >>> AutoMPPEKeys >>> </AuthBy> >>> >>> <AuthBy EXTERNAL> >>> Identifier ADCERT >>> Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns >>> Filter-Id) >>> </AuthBy> >>> >>> >>> >>> <AuthBy GROUP> >>> Identifier dot1x_tls >>> AuthByPolicy ContinueWhileAccept >>> AuthBy TLS >>> </AuthBy> >>> >>> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i> >>> AuthByPolicy ContinueAlways >>> RewriteUsername s/^host\/// >>> AuthBy dot1x_tls >>> AuthBy ADCERT >>> AcctLogFileName %L/%y%m%d-eduroam.log >>> </Handler> >>> ------------ >>> config2 (doesn't work. see log below.) >>> #<AuthBy FILE> >>> <AuthBy EXTERNAL> >>> Identifier TLS >>> # Filename %D/tls_anon >>> EAPType TLS >>> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem >>> EAPTLS_CertificateFile /app/radius/keys/agate1.pem >>> EAPTLS_CertificateType PEM >>> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key >>> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem >>> EAPTLS_MaxFragmentSize 1000 >>> Command /app/radius/scripts/authby.ADCERT >>> AutoMPPEKeys >>> </AuthBy> >>> >>> <AuthBy GROUP> >>> Identifier dot1x_tls >>> AuthByPolicy ContinueWhileAccept >>> AuthBy TLS >>> </AuthBy> >>> >>> >>> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i> >>> AuthByPolicy ContinueAlways >>> RewriteUsername s/^host\/// >>> AuthBy dot1x_tls >>> # AuthBy ADCERT >>> AcctLogFileName %L/%y%m%d-eduroam.log >>> AuthLog QRadar_WIRELESS >>> </Handler> >>> >>> ----------- >>> >>> the debug log >>> >>> *** Received from 132.236.115.218 port 33004 .... >>> Code: Access-Request >>> Identifier: 186 >>> Authentic: >>> <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179> >>> Attributes: >>> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu" >>> NAS-IP-Address = 132.236.115.218 >>> NAS-Port = 1 >>> NAS-Identifier = "cit.redrover.secure" >>> NAS-Port-Type = Wireless-IEEE-802-11 >>> Calling-Station-Id = "0014D1EA856B" >>> Called-Station-Id = "000B866222B0" >>> Service-Type = Login-User >>> Framed-MTU = 1100 >>> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu >>> Aruba-Essid-Name = "eduroam-test" >>> Aruba-Location-Id = "test-rhodes-745-ap" >>> Message-Authenticator = >>> <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p >>> >>> Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler >>> 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier '' >>> Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to >>> CIT-JV11GTEST2.cit.cornell.edu >>> Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for >>> host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1 >>> Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: >>> dot1x_tls >>> Wed Dec 7 16:32:46 2011: DEBUG: Running command: >>> /app/radius/scripts/authby.ADCERT >>> Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0 >>> Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT, >>> Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for >>> CIT-JV11GTEST2.cit.cornell.edu >>> Wed Dec 7 16:32:46 2011: DEBUG: Packet dump: >>> *** Sending to 132.236.115.218 port 33004 .... >>> Code: Access-Accept >>> Identifier: 186 >>> Authentic: <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204> >>> Attributes: >>> Filter-Id = "eduroam-correct" >>> >>> (That's all that's in the logsÅ ) >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> radiator mailing list >>> radiator@open.com.au >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> -- >> Heikki Vatiainen <h...@open.com.au> >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >> NetWare etc. > -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator