Hi, I would like some advice on how to balance my options with a customer setup I have been building.
This setup has both tunneled EAP PEAP and TTLS and non tunneled TLS based host authentication. There is both a mschap based EAP authentication followed by an SQL based authorisation clause. The basic structure is as follows: <AuthBy SQL> Identifier SQLauthenticate # mschap2 authentication </AuthBy SQL> <AuthBy SQL> Identifier SQLauthorize # sql based authorisation NoEAP </AuthBy SQL> <Handler TunnelledByPEAP=1> Identifier PEAP AuthByPolicy ContinueWhileAccept AuthBy SQLauthenticate AuthBy SQLauthorize </Handler> <Handler TunnelledByTTLS=1> Identifier TTLS AuthByPolicy ContinueWhileAccept AuthBy SQLauthenticate AuthBy SQLauthorize </Handler> # EAP TLS based host authentication <Handler User-Name = /host/> Identifier TLS AuthBy FILE AuthBy SQLauthorize </Handler> <Handler> Identifier Outer AuthBy EAPouterHandler </Handler> First question: --------------- The fun starts as the customer needs varius data from the client certificates that we can extract in various hooks. We have used the handler postAuthHook to access the peer certificate in the eap context and subsequently extract the issuer name and certificate policy from it and stick the data into the request. The dilemma ist that postAuthHook is too late to use the extracted data in the SQLauthorize clause. We would also not like to delegate the authorisation logic to the postauthhook. The authorisation is basically a psql stored procedure that encapsulates all the business logic. I would like to keep it visible in the configuration and not hidden in a hook. We were successfull in extracting the certificate in the inner handlers preauthhook as the certifcate has been extracted in the outer handler and is available at this point. This does not work for EAP TLS though as TLS is not tunneled. I could propably use one of the hooks in EAP_13 (TLS) like perhaps EAPTLS_CertificateVerifyHook to handle the TLS cass and the preHandlerHook for the tunneled methods. On the other hand I could propably patch the EAP PEAP,TTLS,TLS handlers and provide a generic way to map certificate data into the request. Do you have any advice on how to best handle this. Second question: ---------------- We would also need the User and realm from the inner eap identity in above authorisation clauses. How could those best be accessed. The autorisation clauses use NoEAP in order to not interfere with the EAP challenge authentication. So the usual variables seem to have the outer identity. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator