On 06/22/2011 11:29 AM, Vandenbroucke Luc wrote: Hello Luc,
> I think the config below is fine now. ( And MSCAHCAPV means MSCHAP-V2... ) What you have looks good. Please see my comments below. > But I'm new to radiator ... So if anyone thinks I'm doing stupid things, > please tell me before this thing will be in production . > > The handler with EAPType=TLS ids doing everything for the smartcards. I even > can use a separate ca : the smartcard CA > > For Windows it handles automatic machine authentication host/pcxxx.x.y, user > dom/username, with no realm, > And manual user input [email protected] with realm x.y ( necessary for eduroam) > > Does this works by accident, or is everything ok like this ? > Specifying Realm= ,means Realm = NULL , I hope, and not Realm Default. Realm is everything after @ character, so this looks good. About specifying Realms, please see below. > <AuthBy LSA> > Identifier LSASCK > UsernameMatchesWithoutRealm > DefaultDomain SCK.BE > #Group Administrators > EAPType MSCHAP-V2 > AddToReply Trapeze-VLAN-Name="guest" > </AuthBy> > > #Here I'm using a public CA and server certificate, for proxying through the > eduroam network. > <AuthBy LSA> > Identifier LSAPEAP > EAPType PEAP,TTLS > DefaultDomain SCK.BE > EAPTLS_CAFile %D/certificates/Addtrust/AddTrustChain.pem > EAPTLS_CertificateFile %D/certificates/radius.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/radius.pvk > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > EAPTLS_PEAPVersion 0 > EAPTLS_PEAPBrokenV1Label > </AuthBy> > > > > <Handler TunnelledByPEAP=1,Realm=sck.be> > AuthBy LSASCK > </Handler> You did not specify EAPAnonymous in PEAP handler's AuthBy, so User-Name will always be anonymous for inner PEAP and the realm is empty. If you check the logs, you should see that the above Handler never matches PEAP inner requests. If TTLS inner request has User-Name attribute, it will not be touched by EAPAnonymous ever. I noticed you do not have any TunnelledByTTLS handlers even if you allow it above with EAPType. > #empty realm when automatic login by windows. > <Handler TunnelledByPEAP=1,Realm=> > AuthBy LSASCK > </Handler> This is the handler that always matches inner PEAP when EAPAnonymous has not been set. > <Handler EAPType=PEAP,Realm=> > AuthBy LSAPEAP > </Handler> > > <Handler EAPType=PEAP,Realm=sck.be> > AuthBy LSAPEAP > </Handler> You could replace the above two handlers with this: <Handler EAPType=PEAP, Realm=/^(|sck\.be)$/> AuthBy LSAPEAP </Handler> > # Windows Smartcard authentication > # I'm using an internal CA, and server Certificate, from the same CA that > provides the smartcards. > # this is only internally. Because no outside company will trust our ca, but > neither will they proxy or smartcard request. > <Handler EAPType=TLS> > Identifier HPEAPTLS > <AuthBy FILE> > Filename %D/users > EAPType TLS > EAPTLS_CAFile %D/certificates/sckCA/sckCA.pem > EAPTLS_CertificateFile %D/certificates/pc2848.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/pc2848.pvk > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > EAPTLS_SessionResumption 0 > AddToReplyIfNotExist Trapeze-VLAN-Name="guest" > </AuthBy> > </Handler> You should consider adding a default Handler that catches the rest of the requests. Otherwise requests with no matching Handler are ignored and can cause NASes to mark the server dead. # This is the default handler <Handler> Identifier default-handler <AuthBy INTERNAL> Identifier default-authby # See ref.pdf for values that suit your environment </AuthBy> </Handler> Thanks! -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
