On 4/9/2014 8:01 AM, Heikki Vatiainen wrote: > On 04/08/2014 11:36 PM, Michael Rodrigues wrote: > >> When untarring the patches tarball patches-4.12.1-20140407.tar.gz in the >> Radiator directory and testing the build, test "1d" fails to pass. Am I >> applying the patches correctly? I read that there was information on the >> site where the patches are downloaded, but I don't have direct access to >> it as a colleague maintains the account. > Thanks for letting us know about this. The patches do not have the > recently updated test.pl. Test 1d does a Status-Server request against > Radiator and it now fails because it does not add Message-Authenticator > in the request. This requirement was just recently added in Radiator. > Status-Server requests with a correct Message-Authenticator will be > ignored from now on. > > Updated test.pl was going to be in the next release, but it was > unfortunately not tagged to be in the patch set meanwhile. It will be in > the next patch set. > >> I'm using: >> Ubuntu 12.04 > Please make sure the system is updated with the latest OpenSSL patch for > the Heartbleed vulnerability. Thanks for the heads up on this, I have since updated.
> >> I also need to rewrite the outer identity before my AuthBy FILE sections >> that check that the user is not on the blacklist. As configured, it will >> check their anonymous ID against the blacklist, which does me no good. I tried adding an AuthBy INTERNAL to the outer handler, using the perl snippet you had suggested with RequestHook. I get a hook error whenever it is called. I'm not a perl guru but I tried changing "${$_[1]}" to just "$_[1]" and got rid of the SCALAR error, but I was still getting a "Hook error" with no specific information. Code: Access-Request Identifier: 155 Authentic: <130>hZ<30><145><187>;<199><159><164>C<211><240>sT5 Attributes: User-Name = "anonymous-username" NAS-IP-Address = 10.99.1.250 NAS-Port = 86 EAP-Message = <2><0><0><13><1>anonymous-username Message-Authenticator = <144><11><139>5<132>u~@<7><150>m<155>q5{<221> Fri Apr 18 09:22:30 2014: DEBUG: Handling request with Handler '', Identifier '' Fri Apr 18 09:22:30 2014: DEBUG: Deleting session for anonymous-username, 10.99.1.250, 86 Fri Apr 18 09:22:30 2014: DEBUG: Handling with Radius::AuthGROUP: Fri Apr 18 09:22:30 2014: DEBUG: Handling with AuthINTERNAL: Fri Apr 18 09:22:30 2014: ERR: Error in RequestHook(): Not a SCALAR reference at (eval 40) line 1. Fri Apr 18 09:22:30 2014: DEBUG: Radius::AuthGROUP: result: IGNORE, Hook error Fri Apr 18 09:22:30 2014: DEBUG: AuthBy GROUP result: IGNORE, Hook error > For that you might consider an AuthBy INTERNAL that is evaluated before > the blacklists. This AuthBy has RequestHook that you can use to modify > the request before it is passed to the blacklist AuthBys. > > Thanks, > Heikki > Here's the updated config: <Client 10.99.1.250> Secret testing123 </Client> <Handler User-Name=/^host\//> # AuthBy INTERNAL will reject here # This catches computers trying to auth </Handler> <Handler TunnelledByPEAP=1> <AuthBy NTLM> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users" Domain AD EAPType MSCHAP-V2 AutoMPPEKeys </AuthBy> </Handler> <Handler TunnelledByTTLS=1> <AuthBy NTLM> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users" Domain AD AutoMPPEKeys </AuthBy> </Handler> <Handler> <AuthBy GROUP> AuthByPolicy ContinueWhileAccept <AuthBy INTERNAL> RequestHook sub { my $rp = ${$_[1]}; $rp->changeUserName($rp->{inner_identity}); } DefaultResult ACCEPT </AuthBy> # Make sure MAC address is not blacklisted.. <AuthBy FILE> NoEAP # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt </AuthBy> # Make sure USERNAME is not blacklisted.. <AuthBy FILE> NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt </AuthBy> <AuthBy NTLM> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="AD+Domain Users" Domain AD EAPType PEAP, TTLS, MSCHAP-V2 EAPTLS_CAFile /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer EAPTLS_CertificateFile /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key AutoMPPEKeys </AuthBy> </AuthBy> </Handler> -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator