Hi,
I am still working on my machine based authentication config.
Config1 (below) works fine but requires that the names of the machines be
listed in the file tls_anon.
I need to modify this config so that I do not need to maintain a list of
host names on the radiator server and so that I can execute an external
script that formats a Filter-Id for a VLAN name to return with the ACCEPT.
I thought this would be pretty straight forward, see config2 below. The
problem is that just this minor change causes the client to hang or
something during the negotiation. Once the accept is sent, nothing else
happens - we've verified this looking at the traffic on the AP. I've
included a debug log as well.
I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
or I just can't use AuthBy EXTERNAL in combination with TLS?
TIA,
Joy
-------
config1: (works if names of computers are in tis_anon file)
<AuthBy FILE>
Identifier TLS
Filename %D/tls_anon
EAPType TLS
EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
EAPTLS_CertificateFile /app/radius/keys/agate1.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
<AuthBy EXTERNAL>
Identifier ADCERT
Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
Filter-Id)
</AuthBy>
<AuthBy GROUP>
Identifier dot1x_tls
AuthByPolicy ContinueWhileAccept
AuthBy TLS
</AuthBy>
<Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
AuthByPolicy ContinueAlways
RewriteUsername s/^host\///
AuthBy dot1x_tls
AuthBy ADCERT
AcctLogFileName %L/%y%m%d-eduroam.log
</Handler>
------------
config2 (doesn't work. see log below.)
#<AuthBy FILE>
<AuthBy EXTERNAL>
Identifier TLS
# Filename %D/tls_anon
EAPType TLS
EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
EAPTLS_CertificateFile /app/radius/keys/agate1.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
EAPTLS_MaxFragmentSize 1000
Command /app/radius/scripts/authby.ADCERT
AutoMPPEKeys
</AuthBy>
<AuthBy GROUP>
Identifier dot1x_tls
AuthByPolicy ContinueWhileAccept
AuthBy TLS
</AuthBy>
<Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
AuthByPolicy ContinueAlways
RewriteUsername s/^host\///
AuthBy dot1x_tls
# AuthBy ADCERT
AcctLogFileName %L/%y%m%d-eduroam.log
AuthLog QRadar_WIRELESS
</Handler>
-----------
the debug log
*** Received from 132.236.115.218 port 33004 ....
Code: Access-Request
Identifier: 186
Authentic: <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
Attributes:
User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
NAS-IP-Address = 132.236.115.218
NAS-Port = 1
NAS-Identifier = "cit.redrover.secure"
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0014D1EA856B"
Called-Station-Id = "000B866222B0"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
Aruba-Essid-Name = "eduroam-test"
Aruba-Location-Id = "test-rhodes-745-ap"
Message-Authenticator =
<139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p
Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler
'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for
host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls
Wed Dec 7 16:32:46 2011: DEBUG: Running command:
/app/radius/scripts/authby.ADCERT
Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0
Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec 7 16:32:46 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 ....
Code: Access-Accept
Identifier: 186
Authentic: <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204>
Attributes:
Filter-Id = "eduroam-correct"
(That's all that's in the logsÅ )
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
