But if I do that, I will still have to have the names of the machines in the tls_anon file, wouldn't I?
Thanks, Joy On 12/8/11 5:07 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: >On 12/07/2011 11:42 PM, Joy Veronneau wrote: > >Hello Joy, > >> I am still working on my machine based authentication config. >> >> Config1 (below) works fine but requires that the names of the machines >>be >> listed in the file tls_anon. > >Try with something like this: ><Handler ...> > AuthByPolicy ContinueWhileAccept > AuthBy file-tls > AuthBy external-adcert ></Handler> > >With the above EAP-TLS will run first and when it is done and returns >ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome >of the whole authentication process. > >Please let us know of your results > >> I need to modify this config so that I do not need to maintain a list of >> host names on the radiator server and so that I can execute an external >> script that formats a Filter-Id for a VLAN name to return with the >>ACCEPT. >> I thought this would be pretty straight forward, see config2 below. The >> problem is that just this minor change causes the client to hang or >> something during the negotiation. Once the accept is sent, nothing else >> happens - we've verified this looking at the traffic on the AP. I've >> included a debug log as well. >> >> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong >> or I just can't use AuthBy EXTERNAL in combination with TLS? >> >> TIA, >> Joy >> >> ------- >> config1: (works if names of computers are in tis_anon file) >> <AuthBy FILE> >> Identifier TLS >> Filename %D/tls_anon >> EAPType TLS >> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem >> EAPTLS_CertificateFile /app/radius/keys/agate1.pem >> EAPTLS_CertificateType PEM >> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key >> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem >> EAPTLS_MaxFragmentSize 1000 >> AutoMPPEKeys >> </AuthBy> >> >> <AuthBy EXTERNAL> >> Identifier ADCERT >> Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns >> Filter-Id) >> </AuthBy> >> >> >> >> <AuthBy GROUP> >> Identifier dot1x_tls >> AuthByPolicy ContinueWhileAccept >> AuthBy TLS >> </AuthBy> >> >> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i> >> AuthByPolicy ContinueAlways >> RewriteUsername s/^host\/// >> AuthBy dot1x_tls >> AuthBy ADCERT >> AcctLogFileName %L/%y%m%d-eduroam.log >> </Handler> >> ------------ >> config2 (doesn't work. see log below.) >> #<AuthBy FILE> >> <AuthBy EXTERNAL> >> Identifier TLS >> # Filename %D/tls_anon >> EAPType TLS >> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem >> EAPTLS_CertificateFile /app/radius/keys/agate1.pem >> EAPTLS_CertificateType PEM >> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key >> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem >> EAPTLS_MaxFragmentSize 1000 >> Command /app/radius/scripts/authby.ADCERT >> AutoMPPEKeys >> </AuthBy> >> >> <AuthBy GROUP> >> Identifier dot1x_tls >> AuthByPolicy ContinueWhileAccept >> AuthBy TLS >> </AuthBy> >> >> >> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i> >> AuthByPolicy ContinueAlways >> RewriteUsername s/^host\/// >> AuthBy dot1x_tls >> # AuthBy ADCERT >> AcctLogFileName %L/%y%m%d-eduroam.log >> AuthLog QRadar_WIRELESS >> </Handler> >> >> ----------- >> >> the debug log >> >> *** Received from 132.236.115.218 port 33004 .... >> Code: Access-Request >> Identifier: 186 >> Authentic: >><201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179> >> Attributes: >> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu" >> NAS-IP-Address = 132.236.115.218 >> NAS-Port = 1 >> NAS-Identifier = "cit.redrover.secure" >> NAS-Port-Type = Wireless-IEEE-802-11 >> Calling-Station-Id = "0014D1EA856B" >> Called-Station-Id = "000B866222B0" >> Service-Type = Login-User >> Framed-MTU = 1100 >> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu >> Aruba-Essid-Name = "eduroam-test" >> Aruba-Location-Id = "test-rhodes-745-ap" >> Message-Authenticator = >> <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p >> >> Wed Dec 7 16:32:46 2011: DEBUG: Handling request with Handler >> 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier '' >> Wed Dec 7 16:32:46 2011: DEBUG: Rewrote user name to >> CIT-JV11GTEST2.cit.cornell.edu >> Wed Dec 7 16:32:46 2011: DEBUG: Deleting session for >> host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1 >> Wed Dec 7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: >>dot1x_tls >> Wed Dec 7 16:32:46 2011: DEBUG: Running command: >> /app/radius/scripts/authby.ADCERT >> Wed Dec 7 16:32:46 2011: DEBUG: External command exited with status 0 >> Wed Dec 7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT, >> Wed Dec 7 16:32:46 2011: DEBUG: Access accepted for >> CIT-JV11GTEST2.cit.cornell.edu >> Wed Dec 7 16:32:46 2011: DEBUG: Packet dump: >> *** Sending to 132.236.115.218 port 33004 .... >> Code: Access-Accept >> Identifier: 186 >> Authentic: <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204> >> Attributes: >> Filter-Id = "eduroam-correct" >> >> (That's all that's in the logsÅ ) >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > >-- >Heikki Vatiainen <h...@open.com.au> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
