Hi all,
I've been using RADIATOR for 4 or 5 years using EAP-TTLS PAP against an
LDAP database. We now have an Active Directory that is synced with LDAP,
so all users and their passwords are now in AD. With the LDAP database,
we had to configure every client manually (these are student computers
we don't own) for wireless to work. This could sometimes take 20-30
minutes with Apple clients and involved installing SecureW2 on Windows.
My goal now is to transition to using AuthBy NTLM with PEAP, TTLS, and
MSCHAP-V2 in place of AuthBy LDAP2 so users can just type their
username and password when prompted, while maintaining backwards
compatibility with the EAP-TTLS PAP machines that were already
configured. The config I have does do this, but it also allows domain
computers to authenticate as computers; I don't want this. So it comes
down to a few questions:
1. How do I allow only directory users to authenticate, while
preventing machine accounts from being authenticated?
2. Will the eap_acct_username.pl prevent users from showing up as
'anonymous' in my accounting requests for all allowed types of auth?
(PEAP, TTLS, MSCHAP-V2)
3. Will disabling machine authentication have any affect on SSO so that
a user can login to a domain computer and automatically authenticate
to the wifi (assuming the proper GPOs are in place).
Here's my configuration:
########## ##########
##### Radiator Configuration #####
######### ##########
## Updated 03/26/14 mbr
## Note this file is derived from pre-testing version provided by
<mrodrigues
#This handler catches all "Accounting-Request" packets.
#We only log Start and Stop accounting packets as Alive
#packets are basically useless for our purposes. If you
#would like to grab these packets, delete the "HandleAcctStatusTypes"
#directive below, or edit as obviously necessary.
#<Handler Request-Type=Accounting-Request>
#<AuthBy SQL>
# DBSource dbi:mysql:radius:127.0.0.1:3306
# DBUsername radius
# DBAuth xxx
#HandleAcctStatusTypes Start,Stop
# This statement inserts the accounting information into the SQL databasee.
#AcctSQLStatement insert into ggse_public
values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL);
# This will log messages from within the SQL insert statement
#<Log FILE>
#Filename debug.config
#</Log>
#</AuthBy>
#</Handler>
#below was added on 2/4/13 to catch ALL iterations of logins that are
BlackListed.
RewriteUsername tr/A-Z/a-z/
#These are the IPs from which calls to the RADIUS server are allowed.
<Client 10.99.1.250>
Secret testing123
DupInterval 0
</Client>
<Handler>
#This is only tentative and hasn't been tested. This keeps people from
circumventing the logs by making their outer identity anonymous. This
script copies the inner identity to the outer identity; you can't
authenticate without the correct inner identity.
PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
# Make sure MAC address is not blacklisted..
<AuthBy FILE>
NoEAP
# Calling-Station-Id attribute is the user's MAC in
this case.
AuthenticateAttribute Calling-Station-Id
AcceptIfMissing
Filename /etc/radiator/MacAddrBlacklist.txt
</AuthBy>
# Make sure USERNAME is not blacklisted..
<AuthBy FILE>
NoEAP
AcceptIfMissing
Filename /etc/radiator/UsernameBlacklist.txt
</AuthBy>
<AuthBy NTLM>
Domain AD
EAPType PEAP, TTLS, MSCHAP-V2
EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem
EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
AutoMPPEKeys
</AuthBy>
</AuthBy>
</Handler>
#PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
#This logs to /var/log/radius/logfile
#Not really necessary, we have SQL logs.
<Log FILE>
Filename logfile
</Log>
Thanks,
Michael
--
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
h...@education.ucsb.edu
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
