[RADIATOR] Huawei VSAs
I've added some more Huawei VSAs to the dictionary, please include them in the standard dictionary file, thanks! VENDORATTR2011Huawei-Requested-APN168string VENDORATTR2011Huawei-GGSN-Vendor232string VENDORATTR2011Huawei-GGSN-Vendor233string *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] multiple EAP-TLS AuthBys
On 01/31/2014 02:23 PM, Hartmaier Alexander wrote: I'm trying to get a wired and wireless 802.1x config working where in one building shared Cisco IOS switches and Cisco WLAN controllers are used for multiple companies, each with its own CA. My handler config is below and as you can see the EAPTLS settings share the same radius server certificate but only differ in the CA cert used to validate the clients cert. If the clients have different certs from different CAs, you should be able to use EAPTLS_CAPath instead of EAPTLS_CAFile. Note that the certificate file names have special requirements. See https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html and look for the c_rehash utility. The level 4 trace showed that the first AuthBy responds with a challenge which didn't match the ContinueUntilAccept AuthByPolicy so the second AuthBy was triggered which failed as well. I've changed the AuthByPolicy to ContinueUntilAcceptOrChallenge but now always the first AuthBy is checked until the client gives up authenticating. I'd say CAPath is better idea than trying to match client CAs with individual AuthBys unless there is a way to differentiate between clients. Is there anything in the requests client generate that could help with choosing the correct Handler? Another possibility would be a single AuthBy with all CA certs but how would I differentiate which one matched to send different Tunnel-Private-Group-ID values back? You might be able to use EAPTLS_CertificateVerifyHook to check which CA matched. However, I have not checked in detail if this is possible. I would first see if the requests have any information that could help with Handler selection. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] multiple EAP-TLS AuthBys
Hi Heikki, On 2014-02-03 17:10, Heikki Vatiainen wrote: On 01/31/2014 02:23 PM, Hartmaier Alexander wrote: I'm trying to get a wired and wireless 802.1x config working where in one building shared Cisco IOS switches and Cisco WLAN controllers are used for multiple companies, each with its own CA. My handler config is below and as you can see the EAPTLS settings share the same radius server certificate but only differ in the CA cert used to validate the clients cert. If the clients have different certs from different CAs, you should be able to use EAPTLS_CAPath instead of EAPTLS_CAFile. Note that the certificate file names have special requirements. See https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html and look for the c_rehash utility. I'm already using that for one of the AuthBy's because the certs come from an old and a new CA. The level 4 trace showed that the first AuthBy responds with a challenge which didn't match the ContinueUntilAccept AuthByPolicy so the second AuthBy was triggered which failed as well. I've changed the AuthByPolicy to ContinueUntilAcceptOrChallenge but now always the first AuthBy is checked until the client gives up authenticating. I'd say CAPath is better idea than trying to match client CAs with individual AuthBys unless there is a way to differentiate between clients. Is there anything in the requests client generate that could help with choosing the correct Handler? Sadly not because the requirement is to have a single SSID for all companies, the same goes for wired 802.1x where the same switch port should be put into a specific VLAN per company. Another possibility would be a single AuthBy with all CA certs but how would I differentiate which one matched to send different Tunnel-Private-Group-ID values back? You might be able to use EAPTLS_CertificateVerifyHook to check which CA matched. However, I have not checked in detail if this is possible. I would first see if the requests have any information that could help with Handler selection. I already wrote a handler but the weird things are: - $matchedcn is undefined. Is this because I'm doing AuthBy FILE with AcceptIfMissing or because of EAPTLS_NoCheckId? - I don't have access to the reply packed in the hook which makes assigning a different value to the Tunnel-Private-Group-ID attribute more complicated than necessary. Thanks, Heikki Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
