Re: [RADIATOR] Shibboleth authentication for wifi

2012-01-16 Thread Heikki Vatiainen
On 01/13/2012 03:43 PM, Denis Pavani wrote:

> My company plans to have a wireless network where authentication 
> credentials come from a federation using shibboleth.
> We have in production a cisco wireless controller, and really I was 
> trying not to bypass it for a different captive portal.
> Is it possibile to use "authby URL" redirecting creentials to a cgi
> which provides shibboleth authentication?
> Does anyone have experience with this?

I think this model is too straightforward to work. You need to allow
passthrough for every organisation that participates in the federation.
The users need to access the authentication web page of their home
organisation.

After the authentication the user is redirected back to your login web
page and the web server sets the environment variables to reflect the
outcome of user's authentication. That is, you do not get any access of
credentials you could use to do the login. To actually use this
information, you would most likely to bypass the controller to utilise
information from shibboleth.

One method to make shibboleth based WLAN login is this:

1. Create a captive portal that lets the users to select their home
organisation. When the select it, they get redirected to their home
login page. This portal most likely can not be in the controller but
needs a web server with shibboleth authentication modules. The
shibboleth authentication starts here.

2. The success URL users get from their home shibboleth login directs
them back to your web server.

3. The resource pointed by success URL (e.g., CGI script) creates a
temporary username/password into e.g. SQL database.

4. The user is redirected to controller's login page with GET or POST
request type. The request parameters specify the temporary username/password

5. Controller does RADIUS authentication against the SQL database

6. If the authentication is successful, as it always should be at this
point, the controller opens the captive portal. The user has now logged in.

Something like the above should make it possible to use shibboleth for
WLAN authentication. Note that it does not enable encrypted radio, so
even if authentication is strong, users are still susceptiple for
eavesdropping.

Have you considered eduroam for federated authentcation?

Thanks!
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


[RADIATOR] Stripping realm in AuthBy LSA oject

2012-01-16 Thread Alex Sharaz
Hi,

I've got Radiator 4.9 running on a windoze server. Users need to
authenticate with a UserName of the form u...@scar.hull.ac.uk against an
Active Directory  whose usernames do not include a realm.

 

Is the following the correct way to strip out the  realm from the
UserName in order to authenticate against AD with  just the "user"
component of the UserName?

 



AuthBy lsaAuth

Authlog logfile

EAPType PEAP,TTLS, MSCHAP-V2 TLS

EAPTLS ..

Stripfromreply 

Addtoreply 



 

Where  lsaAuth is

 



Identifier lsaAuth

ReWriteUsername s/^([^@]+).*/$1/

SSLeayTracve 4

Domain SCAR

DefaultDomain SCAR

EAPType PEAP,TTLS, MSCHAP-V2,TLS

.



 


**
To view the terms under which this email is distributed
please go to http://www2.hull.ac.uk/legal/disclaimer.aspx
**
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Stripping realm in AuthBy LSA oject

2012-01-16 Thread Heikki Vatiainen
On 01/16/2012 05:25 PM, Alex Sharaz wrote:

Hell Alex,

> I’ve got Radiator 4.9 running on a windoze server. Users need to
> authenticate with a UserName of the form u...@scar.hull.ac.uk
>  against an Active Directory  whose
> usernames do not include a realm.
> 
> Is the following the correct way to strip out the  realm from the
> UserName in order to authenticate against AD with  just the “user”
> component of the UserName?

Try UsernameMatchesWithoutRealm instead of RewriteUsername. That should
work while keeping the original User-Name intact.

Heikki

> 
> 
> AuthBy lsaAuth
> 
> Authlog logfile
> 
> EAPType PEAP,TTLS, MSCHAP-V2 TLS
> 
> EAPTLS ……
> 
> Stripfromreply ……..
> 
> Addtoreply ……..
> 
> 
> 
>  
> 
> Where  lsaAuth is
> 
>  
> 
> 
> 
> Identifier lsaAuth
> 
> ReWriteUsername s/^([^@]+).*/$1/
> 
> SSLeayTracve 4
> 
> Domain SCAR
> 
> DefaultDomain SCAR
> 
> EAPType PEAP,TTLS, MSCHAP-V2,TLS
> 
> …..
> 
> 
> 
>  
> 
> **
> To view the terms under which this email is distributed
> please go to http://www2.hull.ac.uk/legal/disclaimer.aspx
> **
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator