Re: [RADIATOR] Eaptype=PEAP choosen even if request is EAP-TLS
On 06/24/2011 04:52 PM, Vandenbroucke Luc wrote: Hello Luc, > Can anyone tell me, if my hander asks “EapType=PEAP”, why it is chosen > for EAP-TLS ? > > I do have a handler for “EapType=TLS”, for the same domain. But this > handler is never not reached. With EAPType you should use number, such as 25 for PEAP and when you want to use name, you should use EAPTypeName. However, now when I took a better look at your configuration and how EAP type matching works it looks like your configuration needs other changes too. The problem with EAPType and EAPTypeName is they are only filled in *after* a Handler has been selected. So they can not used for initial Handler selection. There are a couple of alternatives how to accomplish Handler selection by EAP type. 1. If there's anything in the request that differentiates between EAP types, use it. If for example, User-Name has a prefix or suffix that is different for TLS and PEAP, the correct Handler can be selected based on User-Name. 2. Match the EAP type in the EAP-Message attribute directly: # catch EAP-TLS with 0x13 in the 5th octet 3. A PreHandlerHook in the Client clause can be used to add e.g a pseudo-attribute to the request. This attribute can then be used to match the correct Handler. 4. A PreProcessingHook in a Handler together with an AuthBy Handler can be similarly to (3.) used to redispatch the request. The problem with EAP is sometimes the EAP type is negotiated between the peers and/or there might be an identity exchange that does not specify the type at all. For these reasons it would be good if the clients could be configured to use their desired EAP type directly. Please let us know how the options I listed look like. Thanks! Heikki > > > > > Regards > > Luc Vandenbroucke > > > > p.s. Our other test are all fine now. So we decided to go with Radiator, > and buy the pro-pack. > > > > > > Config > > …. > > > > > > AuthBy LSAPEAP > > > > > > > > > > Identifier HPEAPTLS > > > > … > > > > > > Code: Access-Request > > Identifier: 176 > > Authentic: |ME22<21><129><199>e<140>Q<140><178><152><5><230> > > Attributes: > > NAS-Port-Id = "AP2/1" > > Calling-Station-Id = "00-23-14-EB-CB-A8" > > Called-Station-Id = "00-0B-0E-CF-26-C8:radroam" > > Service-Type = Framed-User > > User-Name = "" > > NAS-Port = 55256 > > EAP-Message = <2><2><0><6><3><13> > > NAS-Port-Type = Wireless-IEEE-802-11 > > NAS-IP-Address = 10.73.240.100 > > NAS-Identifier = "Trapeze" > > Message-Authenticator = > <129><237><217>e<201>p<142><229><168><154>a<163>s=S0 > > > > Fri Jun 24 15:42:39 2011: DEBUG: Handling request with Handler > 'EAPType=PEAP,Realm=***', Identifier '' > > Fri Jun 24 15:42:39 2011: DEBUG: Deleting session for > insta...@sckcen.be, 10.73.240.100, 55256 > > Fri Jun 24 15:42:39 2011: DEBUG: Handling with Radius::AuthLSA: LSAPEAP > > Fri Jun 24 15:42:39 2011: DEBUG: Handling with EAP: code 2, 2, 6, 3 > > Fri Jun 24 15:42:39 2011: DEBUG: Response type 3 > > Fri Jun 24 15:42:39 2011: DEBUG: EAP Nak desires type 13 > > Fri Jun 24 15:42:39 2011: DEBUG: Desired EAP type TLS (13) not permitted > > Fri Jun 24 15:42:39 2011: DEBUG: EAP result: 1, None of the desired EAP > types (13) are available > > Fri Jun 24 15:42:39 2011: DEBUG: AuthBy LSA result: REJECT, None of the > desired EAP types (13) are available > > Fri Jun 24 15:42:39 2011: INFO: Access rejected for ** : None of the > desired EAP types (13) are available > > Fri Jun 24 15:42:39 2011: DEBUG: Packet dump: > > *** Sending to 10.73.240.100 port 20001 > > > > SCK-CEN Disclaimer: http://www.sckcen.be/en/Legal-aspects/E-mail-disclaimer > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Executing an external script from Radiator
Hello all,
If you have noticed, I am trying to get the values of the User-Name and
User-Password attributes in my BASH script that is being executed by the
Command parameter inside my clause. In my test, I can only
get the value of the User-Name attribute but not with the User-Password
attribute as it appears blank. If I can pass the value of the User-Password
attribute to the $PASSWORD variable, I will be able to compare it with the
return value when I do the wget command.
Please advice on how am I able to proceed from here.
Regards,
MP
From: ant...@hotmail.com
To: radiator@open.com.au
Date: Tue, 28 Jun 2011 14:50:51 +0800
Subject: Re: [RADIATOR] Executing an external script from Radiator
Hello all,
How am I able to read the value of the User-Password attribute and pass it to a
variable from an (AuthBy) EXTERNAL BASH script? Also, how am I able to send
back the result to the user either successful (Access-Accept) or failed
(Access-Reject)?
Below is a snippet of my Radiator configuration:
- - - < s n i p > - - -
DecryptPassword
Command /usr/local/sbin/testauth.sh
Fork
RejectEmptyPassword
AcctLogFileName %L/accounting/detail-%Y%m%d.log
- - - < s n i p > - - -
Below is my BASH script:
- - - < s n
i p > - - -
#!/bin/bash
USERNAME=$(grep -i User-Name | awk -F'61|@' '{print $2}')
PASSWORD=$(grep -i User-Password | awk -F'= ' '{print $2}')
HOST=192.168.1.101
HTTP_PORT=80
URL="http://$HOST/credentials.php?command=password_retrieve&phonenumber=$USERNAME";
RETVAL=0
set -x
function die()
{
echo -e "$@" >> /var/log/messages
exit 1
}
if echo "" | telnet $HOST $HTTP_PORT 2>&1 | grep -i Connected ; then
if [ $PASSWORD == $(wget -c -O - $URL | cut -d\| -f 1) ] ; then
#Make an Access-Accept reply to the user.
else
#Make an Access-Reject reply to the user.
fi
else
die "ERROR: The $HOST is dow
n or unreachable on $(date)."
fi
exit ${RETVAL}
- - - < s n i p > - - -
Lastly, I am getting the below line in my radiusd.log file:
Tue Jun 28 13:53:01 2011 476732: ERR: Bad attribute=value pair: Connected to
192.168.1.201.
Please advice. Thank you in advance.
Regards,
MP
From: ant...@hotmail.com
To: radiator@open.com.au
Date: Wed, 22 Jun 2011 13:50:30 +0800
Subject: Re: [RADIATOR] Executing an external script from Radiator
Hello all,
Thank you for all who responded to my e-mail.
Now, I have a problem though. First, I am just going to write the script in
BASH as I don't know Perl. Second, there is no database here to verify the
User-Name and User-Password. Everytime there is an Access-Request that is
received by the Radiator, it should execute the BASH script to (maybe) wget or
curl with an input parameter of the User-Name from an HTTP or HTTPS URL and
will receive the output with the User-Name and User-Password to verify and then
reply back with an Access-Accept. If during the wget or curl from the URL and
the output is other than what I expect (the User-Name and User-Password), then
Radiator should respond with an Access-Reject.
[NAS Client] <---> (RADIUS TRaffic) <---> [Radiator] <---> (Execute Script)
<---> (HTTP/HTTPS Traffic) <---> [HTTP Server]
Please ad
vice. Thank you in advance.
From: ant...@hotmail.com
To: radiator@open.com.au
Date: Tue, 21 Jun 2011 14:34:37 +0800
Subject: [RADIATOR] Executing an external script from Radiator
Hello all,
How am I going to execute an external script when Radiator receives an
Access-Request? This script will actually do an HTTP API request from an
external HTTP server to get the userid then once the script have it on the same
server as where the Radiator is running, Radiator will now respond an
Access-Accept.
Please advice. Thank you in advance.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Executing an external script from Radiator
You're not iterating over stdin.
Try something like:
martin@apollo:~$ cat test.sh
#!/bin/bash
#iterate over stdin and pull out the relevant fields.
while read LINE
do
if [[ $LINE =~ User-Name ]]; then
USERNAME=$( echo $LINE | awk -F'= ' '{print $2}')
fi
if [[ $LINE =~ User-Password ]]; then
PASSWORD=$( echo $LINE | awk -F'= ' '{print $2}')
fi
done
echo username is $USERNAME
echo password is $PASSWORD
martin@apollo:~$ echo -e "User-Name = \"Fred\"\nUser-Password =
\"supersecret\"" | ./test.sh
username is "Fred"
password is "supersecret"
On 28/06/11 10:00, M P wrote:
>
> Hello all,
>
> If you have noticed, I am trying to get the values of the User-Name and
> User-Password attributes in my BASH script that is being executed by the
> Command parameter inside my clause. In my test, I can only
> get the value of the User-Name attribute but not with the User-Password
> attribute as it appears blank. If I can pass the value of the User-Password
> attribute to the $PASSWORD variable, I will be able to compare it with the
> return value when I do the wget command.
>
> Please advice on how am I able to proceed from here.
>
> Regards,
>
> MP
>
>
> From: ant...@hotmail.com
> To: radiator@open.com.au
> Date: Tue, 28 Jun 2011 14:50:51 +0800
> Subject: Re: [RADIATOR] Executing an external script from Radiator
>
>
>
>
>
>
>
>
>
> Hello all,
>
> How am I able to read the value of the User-Password attribute and pass it to
> a variable from an (AuthBy) EXTERNAL BASH script? Also, how am I able to send
> back the result to the user either successful (Access-Accept) or failed
> (Access-Reject)?
>
> Below is a snippet of my Radiator configuration:
>
> - - - < s n i p > - - -
>
>
> DecryptPassword
> Command /usr/local/sbin/testauth.sh
> Fork
> RejectEmptyPassword
>
> AcctLogFileName %L/accounting/detail-%Y%m%d.log
>
> - - - < s n i p > - - -
>
> Below is my BASH script:
>
> - - - < s n
> i p > - - -
> #!/bin/bash
> USERNAME=$(grep -i User-Name | awk -F'61|@' '{print $2}')
> PASSWORD=$(grep -i User-Password | awk -F'= ' '{print $2}')
> HOST=192.168.1.101
> HTTP_PORT=80
> URL="http://$HOST/credentials.php?command=password_retrieve&phonenumber=$USERNAME";
> RETVAL=0
> set -x
> function die()
> {
> echo -e "$@" >> /var/log/messages
> exit 1
> }
> if echo "" | telnet $HOST $HTTP_PORT 2>&1 | grep -i Connected ; then
> if [ $PASSWORD == $(wget -c -O - $URL | cut -d\| -f 1) ] ; then
> #Make an Access-Accept reply to the user.
> else
> #Make an Access-Reject reply to the user.
> fi
> else
> die "ERROR: The $HOST is dow
> n or unreachable on $(date)."
> fi
> exit ${RETVAL}
> - - - < s n i p > - - -
>
> Lastly, I am getting the below line in my radiusd.log file:
>
> Tue Jun 28 13:53:01 2011 476732: ERR: Bad attribute=value pair: Connected to
> 192.168.1.201.
>
> Please advice. Thank you in advance.
>
> Regards,
>
> MP
> From: ant...@hotmail.com
> To: radiator@open.com.au
> Date: Wed, 22 Jun 2011 13:50:30 +0800
> Subject: Re: [RADIATOR] Executing an external script from Radiator
>
>
>
>
>
>
>
>
> Hello all,
>
> Thank you for all who responded to my e-mail.
>
> Now, I have a problem though. First, I am just going to write the script in
> BASH as I don't know Perl. Second, there is no database here to verify the
> User-Name and User-Password. Everytime there is an Access-Request that is
> received by the Radiator, it should execute the BASH script to (maybe) wget
> or curl with an input parameter of the User-Name from an HTTP or HTTPS URL
> and will receive the output with the User-Name and User-Password to verify
> and then reply back with an Access-Accept. If during the wget or curl from
> the URL and the output is other than what I expect (the User-Name and
> User-Password), then Radiator should respond with an Access-Reject.
>
> [NAS Client] <---> (RADIUS TRaffic) <---> [Radiator] <---> (Execute Script)
> <---> (HTTP/HTTPS Traffic) <---> [HTTP Server]
>
> Please ad
> vice. Thank you in advance.
>
> From: ant...@hotmail.com
> To: radiator@open.com.au
> Date: Tue, 21 Jun 2011 14:34:37 +0800
> Subject: [RADIATOR] Executing an external script from Radiator
>
>
>
>
>
>
>
>
>
>
>
> Hello all,
>
> How am I going to execute an external script when Radiator receives an
> Access-Request? This script will actually do an HTTP API request from an
> external HTTP server to get the userid then once the script have it on the
> same server as where the Radiator is running, Radiator will now respond an
> Access-Accept.
>
> Please advice. Thank you in advance.
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
Re: [RADIATOR] BindAddress question
On 14/06/2011 15:21, Heikki Vatiainen wrote: > Linux also has this special file to control the system wide behaviour: > > /proc/sys/net/ipv6/bindv6only > If I do this to enable the option: > echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only > > the same configuration works: > > BindAddress ipv6:::, 0.0.0.0 Works for me too! Thanks :-) -- Dyonisius Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 vis...@terena.org | www.terena.org smime.p7s Description: S/MIME Cryptographic Signature ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Executing an external script from Radiator
Hello Martin,
Thank you for the hint. I am now able to get the two values.
Now, I have a follow-up question. What is your recommended way to send the
reply back to the user, be it an Access-Accept or Access-Reject? I am thinking
of adding the reply back whatever the output of my if statement when comparing
the password received from the user and the password I got from my wget command.
Below is my updated BASH script for your reference.
- - - < s n i p > - - -
#!/bin/bash
HOST=192.168.1.101
HTTP_PORT=80
RETVAL=0
set -x
function die()
{
echo -e "$@" >> /var/log/messages
exit 1
}
while read LINE
do
if [[ $LINE =~ User-Name ]] ; then
USERNAME=$(echo $LINE | awk -F'61|@' '{print $2}')
fi
if [[ $LINE =~ User-Password ]] ; then
PASSWORD=$(echo $LINE | awk -F'= ' '{print $2}' | awk -F'"|"' '{print
$2}')
fi
done
if echo "" | telnet $HOST $HTTP_PORT 2>&1 | grep -i Connected ; then
URL="http://$HOST/credentials.php?command=password_retrieve&phonenumber=$USERNAME";
if [ $PASSWORD == $(wget -c -O - $URL | cut -d\| -f 1) ] ; then
#Make an Access-Accept reply to the user.
else
#Make an Access-Reject reply to the user.
fi
else
die "ERROR: The $HOST is down or unreachable on $(date)."
fi
exit ${RETVAL}
- - - < s n i p > - - -
Please advice. Thank you in advance.
Regards,
MP
Date: Tue, 28 Jun 2011 12:04:54 +0100
From: m...@sanger.ac.uk
To: radiator@open.com.au
Subject: Re: [RADIATOR] Executing an external script from Radiator
You're not iterating over stdin.
Try something like:
martin@apollo:~$ cat test.sh
#!/bin/bash
#iterate over stdin and pull out the relevant fields.
while read LINE
do
if [[ $LINE =~ User-Name ]]; then
USERNAME=$( echo $LINE | awk -F'= ' '{print $2}')
fi
if [[ $LINE =~ User-Password ]]; then
PASSWORD=$( echo $LINE | awk -F'= ' '{print $2}')
fi
done
echo username is $USERNAME
echo password is $PASSWORD
martin@apollo:~$ echo -e "User-Name = \"Fred\"\nUser-Password =
\"supersecret\"" | ./test.sh
username is "Fred"
password is "supersecret"
On 28/06/11 10:00, M P wrote:
>
> Hello all,
>
> If you have noticed, I am trying to get the values of the User-Name and
> User-Password attributes in my BASH script that is being executed by the
> Command parameter inside my clause. In my test, I can only
> get the value of the User-Name attribute but not with the User-Password
> attribute as it appears blank. If I can pass the value of the User-Password
> attribute to the $PASSWORD variable, I will be able to compare it with the
> return value when I do the wget command.
>
> Please advice on how am I able to proceed from here.
>
> Regards,
>
> MP
>
>
> From: ant...@hotmail.com
> To: radiator@open.com.au
> Date: Tue, 28 Jun 2011 14:50:51 +0800
> Subject: Re: [RADIATOR] Executing an external script from Radiator
>
>
>
>
>
>
>
>
>
> Hello all,
>
> How am I able to read the value of the User-Password attribute and pass it to
> a variable from an (AuthBy) EXTERNAL BASH script? Also, how am I able to send
> back the result to the user either successful (Access-Accept) or failed
> (Access-Reject)?
>
> Below is a snippet of my Radiator configuration:
>
> - - - < s n i p > - - -
>
>
> DecryptPassword
> Command /usr/local/sbin/testauth.sh
> Fork
> RejectEmptyPassword
>
> AcctLogFileName %L/accounting/detail-%Y%m%d.log
>
> - - - < s n i p > - - -
>
> Below is my BASH script:
>
> - - - < s n
> i p > - - -
> #!/bin/bash
> USERNAME=$(grep -i User-Name | awk -F'61|@' '{print $2}')
> PASSWORD=$(grep -i User-Password | awk -F'= ' '{print $2}')
> HOST=192.168.1.101
> HTTP_PORT=80
> URL="http://$HOST/credentials.php?command=password_retrieve&phonenumber=$USERNAME";
> RETVAL=0
> set -x
> function die()
> {
> echo -e "$@" >> /var/log/messages
> exit 1
> }
> if echo "" | telnet $HOST $HTTP_PORT 2>&1 | grep -i Connected ; then
> if [ $PASSWORD == $(wget -c -O - $URL | cut -d\| -f 1) ] ; then
> #Make an Access-Accept reply to the user.
> else
> #Make an Access-Reject reply to the user.
> fi
> else
> die "ERROR: The $HOST is dow
> n or unreachable on $(date)."
> fi
> exit ${RETVAL}
> - - - < s n i p > - - -
>
> Lastly, I am getting the below line in my radiusd.log file:
>
> Tue Jun 28 13:53:01 2011 476732: ERR: Bad attribute=value pair: Connected to
> 192.168.1.201.
>
> Please advice. Thank you in advance.
>
> Regards,
>
> MP
> From: ant...@hotmail.com
> To: radiator@open.com.au
> Date: Wed, 22 Jun 2011 13:50:30 +0800
> Subject: Re: [RADIATOR] Executing an external script from Radiator
>
>
>
>
>
>
>
>
> Hello all,
>
> Thank you for all who responded to my e-mail.
>
> Now, I have a problem though. First, I am just going to write the script in
> BASH as I don't know Perl. Second, there is no database here to
