Ah, gotcha! You need to change your Handler so it only matches EAP requests, for example:
<Handler AuthType="radius", EAP-Message=/.+/> On 2013-12-20 13:35, Markus Moeller wrote: > Hi Alexander, > > But I need the default for the case when I get a successful EAPTLS > exchange the user file is still checked and to avoid adding all users > I need a DEFAULT don’t I ? > > Markus > > > *From:* Hartmaier Alexander <mailto:alexander.hartma...@t-systems.at> > *Sent:* Friday, December 20, 2013 10:52 AM > *To:* radiator@open.com.au <mailto:radiator@open.com.au> > *Subject:* Re: [RADIATOR] Enforce EAPTLS > > Hi Markus, > you didn't configure NoDefault, see in section 5.21.12 NoDefault in > the Radiator Reference Manual for further details. > > On 2013-12-20 11:30, Markus Moeller wrote: >> >> Hi, >> >> >> >> I have a switch configure to do EAP TLS authentication and when I >> made an error in the config the following Access Request was sent to >> Radiator. >> >> >> >> >> >> Code: Access-Request >> >> Identifier: 3 >> >> Authentic: >> 7O<24><227><149><222><130><147><179><146><194><195><181><206><190><11> >> >> Attributes: >> >> User-Name = "0021aa6e1103" >> >> User-Password = >> <223><1><188><199><12><30><246><191><11><156>eV<211>*:<161> >> >> Service-Type = Call-Check >> >> Framed-MTU = 1500 >> >> Called-Station-Id = "44-B4-A9-F9-42-A8" >> >> Calling-Station-Id = "00-21-DD-6F-35-03" >> >> Message-Authenticator = >> <27>]/<245><205><143>J<147><3>d7`<218><202>bG >> >> EAP-Key-Name = >> >> NAS-Port-Type = Ethernet >> >> NAS-Port = 50140 >> >> NAS-Port-Id = "GigabitEthernet1/0/40" >> >> NAS-IP-Address = 10.7.1.2 >> >> >> >> But to my surprise Radiator sent back a Accept >> >> >> >> >> >> Wed Dec 18 10:14:12 2013: DEBUG: Handling request with Handler >> 'AuthType="radius"', Identifier '' >> >> Wed Dec 18 10:14:12 2013: DEBUG: Deleting session for 0021aa6e1103, >> 10.7.1.2, 50140 >> >> Wed Dec 18 10:14:12 2013: DEBUG: Handling with Radius::AuthFILE: EapTLS >> >> Wed Dec 18 10:14:12 2013: DEBUG: Reading users file /opt/Radiator/users >> >> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match >> with 0021aa6e1103 [0021aa6e1103] >> >> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE REJECT: No such >> user: 0021aa6e1103 [0021aa6e1103] >> >> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE looks for match >> with DEFAULT [0021aa6e1103] >> >> Wed Dec 18 10:14:12 2013: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT >> [0021aa6e1103] >> >> Wed Dec 18 10:14:12 2013: DEBUG: AuthBy FILE result: ACCEPT, >> >> Wed Dec 18 10:14:12 2013: DEBUG: Packet dump: >> >> *** Sending to 10.7.1.2 port 1645 .... >> >> Code: Access-Accept >> >> >> >> >> >> My config is quite simple ( maybe too simple) >> >> >> >> <Handler AuthType="radius"> >> >> AuthBy EapTLS >> >> AuthLog LogToSyslog >> >> </Handler> >> >> >> >> >> >> # EAPTLS authentication >> >> <AuthBy FILE> >> >> Identifier EapTLS >> >> # the file is used to check usernames (assuming EAP-TLS certificate >> checks pass): >> >> Filename %D/users >> >> EAPType TLS >> >> # WLAN Additional Certificate Check >> >> EAPTLS_CertificateVerifyHook file:"%D/hooks/eaptls_check.pl" >> >> # WLAN root CAs >> >> EAPTLS_CAFile %{GlobalVar:CertsDir}/CA/ca.pem >> >> >> >> EAPTLS_CertificateType PEM >> >> # Radiator Cert >> >> EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server/my_server_cert.pem >> >> # Radiator private key >> >> EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server/my_server_cert.key >> >> >> >> EAPTLS_MaxFragmentSize 1000 >> >> >> >> EAPTLS_CRLCheck >> >> EAPTLS_CRLFile %{GlobalVar:CertsDir}/crls/ca.pem >> >> >> >> AutoMPPEKeys >> >> </AuthBy> >> >> >> >> >> >> What do I need to add that a Radius request without a EAP-Message >> does not get accepted ? >> >> >> >> >> >> Thank you >> >> Markus >> >> >> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > -- > Best regards, Alexander Hartmaier > > T-Systems Austria GesmbH > TSS Security Services > Network Security & Monitoring Engineer > > phone: +43(0)57057-4320 > fax: +43(0)57057-954320 > > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > Notice: This e-mail contains information that is confidential and may > be privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > > ------------------------------------------------------------------------ > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
