Hi Heikki,
Thanks for the reply. I got caught up in other things or I would have
responded sooner.
I got the non-EAP handler setup and made a handler specifically for
Accounting Requests.
The only issue I can find with my config is that users can circumvent my
UserBlacklist by changing the capitalization of their username. I'm
surprised Active Directory allows this, but we had a similar problem
when we were authing against LDAP.
I tried implementing the solution here:
http://www.open.com.au/pipermail/radiator/2013-February/018882.html
But I can still authenticate as "Mrodrigues" when I have "DEFAULT
User-Name = /^mrodrigues$/i Auth-Type = Reject" in the users file. I did
also have the "DEFAULT Auth-Type = Accept" at the end. I tried changing
the default "Accept" to "Reject":
Mon Jun 9 10:07:21 2014: DEBUG: Handling request with Handler
'EAP-Message=/.+/', Identifier 'OUTER_HANDLER'
Mon Jun 9 10:07:21 2014: DEBUG: Deleting session for loo, 10.99.1.250, 80
Mon Jun 9 10:07:21 2014: DEBUG: Handling with Radius::AuthGROUP:
Mon Jun 9 10:07:21 2014: DEBUG: Handling with Radius::AuthFILE:
OUTER_MAC_ADDRESS_BLACKLIST
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthFILE looks for match with
78:d6:f0:97:f7:d3 [loo]
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthFILE REJECT: No such user:
78:d6:f0:97:f7:d3 [loo]
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthGROUP:
OUTER_MAC_ADDRESS_BLACKLIST result: ACCEPT,
Mon Jun 9 10:07:21 2014: DEBUG: Handling with Radius::AuthNTLM:
OUTER_NTLM_AUTHBY
Mon Jun 9 10:07:21 2014: DEBUG: Handling with EAP: code 2, 9, 80, 25
Mon Jun 9 10:07:21 2014: DEBUG: Response type 25
Mon Jun 9 10:07:21 2014: DEBUG: EAP Success, elapsed time 3.258261
Mon Jun 9 10:07:21 2014: DEBUG: EAP result: 0,
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthGROUP: OUTER_NTLM_AUTHBY
result: ACCEPT,
Mon Jun 9 10:07:21 2014: DEBUG: Handling with AuthINTERNAL:
OUTER_BLACKLIST_REWRITE
Mon Jun 9 10:07:21 2014: DEBUG: Changed Request User-Name to Mrodrigues
from Reply inner_identity
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthGROUP:
OUTER_BLACKLIST_REWRITE result: ACCEPT,
Mon Jun 9 10:07:21 2014: DEBUG: Handling with Radius::AuthFILE:
OUTER_USER_BLACKLIST
Mon Jun 9 10:07:21 2014: DEBUG: Reading users file
/etc/radiator/UsernameBlacklist.txt
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthFILE looks for match with
Mrodrigues [loo]
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthFILE REJECT: No such user:
Mrodrigues [loo]
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthFILE looks for match with
DEFAULT [loo]
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [loo]
Mon Jun 9 10:07:21 2014: DEBUG: Radius::AuthGROUP: OUTER_USER_BLACKLIST
result: ACCEPT,
Mon Jun 9 10:07:21 2014: DEBUG: AuthBy GROUP result: ACCEPT,
Mon Jun 9 10:07:21 2014: DEBUG: Access accepted for Mrodrigues
*Mon Jun 9 10:07:21 2014: DEBUG: Hook changed User-Name to Mrodrigues**
**Mon Jun 9 10:07:21 2014: WARNING: Invalid reply item Auth-Type ignored*
Mon Jun 9 10:07:21 2014: DEBUG: Packet dump:
It seems as if the regex in the users file just isn't matching
"Mrodrigues". Using the simpler version without regex works fine if the
user file contains:
"mrodrigues Auth-Type = Reject"
Here's my config:
########## ##########
##### Radiator Configuration #####
######### ##########
## Updated 6/9/2014
## Note this file is derived from pre-testing version provided by
mrodrigues
#These are the clients from which calls to the RADIUS server are allowed.
#Don't confuse it with the wireless clients, they're different.
<Client 10.99.1.0/24>
Secret testing123
</Client>
#This handler catches all "Accounting-Request" packets.
#We only log Start and Stop accounting packets as Alive
#packets are basically useless for our purposes. If you
#would like to grab these packets, delete the "HandleAcctStatusTypes"
#directive below, or edit as obviously necessary.
<Handler Request-Type=Accounting-Request>
Identifier ACCOUNTING_REQUEST_HANDLER
# Logfile for accounting packets
<Log FILE>
Filename logfile-ad-auth
</Log>
</Handler>
# This catches computers trying to auth
<Handler User-Name=/^host\//>
Identifier COMPUTER_AUTH_HANDLER
<AuthBy INTERNAL>
Identifier COMPUTER_AUTH_REJECT
RequestHook sub { &main::log($main::LOG_DEBUG, "Computer
account authentication requested, rejecting request..."); return
$main::REJECT;}
</AuthBy>
</Handler>
# Inner PEAP handler
<Handler TunnelledByPEAP=1>
Identifier PEAP_INNER_HANDLER
<AuthBy NTLM>
Identifier PEAP_INNER_NTLM_AUTHBY
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
Domain AD
EAPType MSCHAP-V2
AutoMPPEKeys
</AuthBy>
</Handler>
# Inner TTLS handler
<Handler TunnelledByTTLS=1>
Identifier TTLS_INNER_HANDLER
<AuthBy NTLM>
Identifier TTLS_INNER_NTLM_AUTHBY
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
Domain AD
EAPType MSCHAP-V2
AutoMPPEKeys
</AuthBy>
</Handler>
<Handler EAP-Message=/.+/>
Identifier OUTER_HANDLER
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
# Make sure MAC address is not blacklisted..
<AuthBy FILE>
Identifier OUTER_MAC_ADDRESS_BLACKLIST
NoEAP
# Calling-Station-Id attribute is the user's MAC in this case.
AuthenticateAttribute Calling-Station-Id
AcceptIfMissing
Filename /etc/radiator/MacAddrBlacklist.txt
</AuthBy>
# Set up the outer tunnel SSL connection
<AuthBy NTLM>
Identifier OUTER_NTLM_AUTHBY
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users"
Domain AD
EAPType PEAP, TTLS
EAPTLS_CAFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
EAPTLS_CertificateFile
/etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key
AutoMPPEKeys
</AuthBy>
# Get inner_identity after it is exported to the Reply, then
use it to set the Request User-Name
<AuthBy INTERNAL>
Identifier OUTER_BLACKLIST_REWRITE
RequestHook sub { my $rq = $_[0]; my $rp = $_[1];
$rq->changeUserName($rp->{inner_identity}); &main::log($main::LOG_DEBUG,
"Changed Request User-Name to $rp->{inner_identity} from Reply
inner_identity"); return $main::ACCEPT;}
</AuthBy>
# Check User blacklist
<AuthBy FILE>
Identifier OUTER_USER_BLACKLIST
NoEAP
AcceptIfMissing
Filename /etc/radiator/UsernameBlacklist.txt
</AuthBy>
</AuthBy>
# If Reply is Access-Accept, send User-Name from inner_identity for
logging, session table.
PostProcessingHook file:"goodies/eap_acct_username_mod.pl"
</Handler>
# Handles and rejects all non-EAP authentication requests
<Handler>
Identifier NON_EAP_HANDLER
<AuthBy INTERNAL>
Identifier NON_EAP_REJECT
AddToReply Reply-Message = Use an EAP method.
RequestHook sub { &main::log($main::LOG_DEBUG, "Non-EAP
authentication requested, rejecting request..."); return $main::REJECT;}
</AuthBy>
</Handler>
#This logs to /var/log/radius/logfile
#Not really necessary, we have SQL logs.
<Log FILE>
Filename logfile
</Log>
Thanks,
Michael
On 5/18/2014 4:26 PM, Heikki Vatiainen wrote:
On 05/13/2014 11:15 PM, Michael Rodrigues wrote:
I would like to REJECT any non-EAP in the outer handler. I've tried to
rearrange things to have only AuthBy FILE in the outer hanlder, having
AuthBy NTLM only in each inner handler.
Hello Michael,
try this:
<Handler EAP-Message=/.+/>
# your current config for <Handler>
</Handler>
# Default Handler
<Handler>
# Catches everything non-EAP
# Could reject with e.g., AuthBy INTERNAL
</Handler>
Note that the above may require setting another Handler before the
default to catch the accounting, if this Radiator instances receives
accounting too.
This would also (I think)
require me to move my AuthBy INTERNAL to each inner handler so that it
can get inner_identity once it is unpacked after AuthBy NTLM. After this
I would AuthBy FILE for blacklist.
However, I can't seem to get my outer handler to drop non-EAP requests:
I'd say the two Handler approach requires you not to rearrange internals
or require any large changes.
Please let us know how it works.
PS. I've been traveling lately so unfortunately it took a bit longer
than usual to reply.
Thanks,
Heikki
--
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
h...@education.ucsb.edu
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
