On 04/21/2014 11:15 PM, Michael Rodrigues wrote: > So if I have three AuthBys in the outer Handler (INTERNAL first for > renaming, then two FILEs for checking MAC address and Username) am I > correct in assuming that the two AuthBy FILEs will be operating on the > request as altered by the initial AuthBy INTERNAL?
Yes, that is correct. Any modifications to request or reply objects are visible for the subsequent AuthBys. > I made the suggested modification to the hook and it appears to execute, > however, it seems to be replacing the username with a blank string ("") > during Access-Challeng, and the subsequent AuthBy FILE sections are > still using the "anonymous outer identity" when checking against the > blacklist files I have. Looking at the configuration you sent previously, I'd say the real inner identity is available once the inner authentication has completed the EAP Identity exchange. That is, there are a number of requests and responses to get the TLS tunnel working, after that the real identity is sent by the peer over the TLS tunnel. When that has happened, you should see the real identity. It might also be worth considering doing the blacklisting with the inner Handler. If you use the outer Handler, it will eventually see the inner identity, but with the inner Handler, it will not need to query the blacklists for all requests, just the inner requests. You might want to search for 'Tunnelled' to see what the inner requests look like and if they would be more useful for implementing blacklisting based on usernames (EAP inner identity). MAC address based blacklisting could be in the outer Handler since the MAC is not included in the inner auth information. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator