On 5/6/14, 1:15 PM, Heikki Vatiainen wrote: > On 05/06/2014 10:22 PM, Michael Rodrigues wrote: > >> I did end up putting the blacklist in the outer handler because all of >> my attempts to grab the inner_identity within the Inner Handler for PEAP >> would give me a blank string "". Looking at it, I'm not sure what I get >> from having the separate Inner Handlers with the current config. > In many cases the outer Handler contains an AuthBy FILE that only > handles PEAP and TTLS outer authentication, that is, establishing the > TLS tunnel. Note that if the incoming request is not an EAP request, > this AuthBy will also try to authenticate the user. If non-EAP > authentication is not desired, this AuthBy FILE can reject the non-EAP > attempts. > > I would like to REJECT any non-EAP in the outer handler. I've tried to rearrange things to have only AuthBy FILE in the outer hanlder, having AuthBy NTLM only in each inner handler. This would also (I think) require me to move my AuthBy INTERNAL to each inner handler so that it can get inner_identity once it is unpacked after AuthBy NTLM. After this I would AuthBy FILE for blacklist.
However, I can't seem to get my outer handler to drop non-EAP requests: (There's another TunnelledByEAP handler but it's otherwise identical to the PEAP one) <Handler TunnelledByPEAP=1> <AuthBy GROUP> AuthByPolicy ContinueWhileAccept <AuthBy NTLM> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users" Domain AD EAPType MSCHAP-V2 AutoMPPEKeys </AuthBy> <AuthBy INTERNAL> Identifier FixUserNameForBlacklist # Get inner_identity after it is exported to the Reply, then use it to set the Request User-Name RequestHook sub { my $rq = $_[0]; my $rp = $_[1]; $rq->changeUserName($rp->{inner_identity}); &main::log($main::LOG_DEBUG, "Changed Request User-Name to $rp->{inner_identity} from Reply inner_identity"); return $main::ACCEPT;} </AuthBy> <AuthBy FILE> NoEAP Identifier CheckUserBlacklistPEAPInner AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt </AuthBy> </AuthBy> </Handler> <Handler> Identifier OuterHandler AuthByPolicy ContinueWhileAccept # Make sure MAC address is not blacklisted.. <AuthBy FILE> NoEAP Identifier CheckMacAddressBlacklist # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt </AuthBy> <AuthBy FILE> Identifier OuterTunnelAuth EAPType PEAP,TTLS EAPTLS_CAFile /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer EAPTLS_CertificateFile /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key </AuthBy> # If Reply is Access-Accept, send User-Name from inner_identity for logging, session table. PostProcessingHook file:"goodies/eap_acct_username_mod.pl" </Handler> _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator