` #Gnarly.vm.its.uwo.ca # # eap_multi.cfg # # This config supports EAP-TTLS and EAP-PEAP proxied from an external Radius server # Foreground 1 LogStdout 1 LogDir c:/program files/radiator DbDir c:/program files/radiator AuthPort 1645,1812 AcctPort 1646,1813 # User a lower trace level in production systems: Trace 3 # IMPORTANT => convert user name to lower case to ensure match on uwo.ca realm in handler match criteria RewriteUsername tr/A-Z/a-z/ # Client identifier for offcampus proxy from eduroam IdenticalClients 142.231.112.1 Secret DupInterval 0 IgnoreAcctSignature Identifier OFFCAMPUS # Client identifier for bigbrother - not sure why second is used - but comes in in requst # LOOKS Like request is proxied from ramp servers IdenticalClients 203.63.154.1 Secret DupInterval 0 IgnoreAcctSignature Identifier BIGBROTHER # Client identifier for ramp1 Secret DupInterval 0 IgnoreAcctSignature Identifier ONCAMPUS # Client identifier for ramp2 Secret DupInterval 0 IgnoreAcctSignature Identifier ONCAMPUS # Client identifier for on campus IdenticalClients 172.29.8.9 IdenticalClients 172.29.8.234 IdenticalClients 172.29.8.235 IdenticalClients 172.29.8.230 IdenticalClients 172.29.9.74 IdenticalClients 172.29.9.51 IdenticalClients 172.29.8.166 IdenticalClients 172.29.8.42 IdenticalClients 172.29.8.43 # Thick aps IdenticalClients 172.29.8.18 IdenticalClients 172.29.8.129 IdenticalClients 172.29.9.111 IdenticalClients 172.29.9.112 IdenticalClients 172.29.8.131 IdenticalClients 172.29.8.132 IdenticalClients 172.29.9.127 IdenticalClients 172.29.8.74 IdenticalClients 172.29.9.134 IdenticalClients 172.29.8.27 Secret DupInterval 0 IgnoreAcctSignature Identifier ONCAMPUS # Client id for localhost Secret DupInterval 0 IgnoreAcctSignature Identifier Proxy Secret Identifier monitor-test Identifier AccountingResponse AcctResult ACCEPT # UwoLSA is used to authenticate the inner PEAP credentials against a domain controller # Note requires MSCHAP-V2 support # Both userid and password are checking for inner PEAP requests # This version defaults the domain to uwo.ca as realm not supplied by user # #Identifier UwoLSA #Domain uwo.ca #EAPType MSCHAP-V2 # # UwoLSA is used to authenticate the inner PEAP credentials against a domain controller # Note requires MSCHAP-V2 support # Both userid and password are checking for inner PEAP requests # Does not set a domain Identifier UwoLSANew EAPType MSCHAP-V2 # UwoLDAP is used to authenticate the inner TTLS credentials and outer PEAP credentials against LDAP # Note requires TTLS and PEAP support # Both userid and password are checking for inner TTLS requests # Only the userid is checked for for outer PEAP requests Identifier UwoLDAP EAPType TTLS,PEAP,PAP EAPTLS_CAFile %D/certificates/thawteCb.pem EAPTLS_CertificateFile %D/certificates/ EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/ EAPTLS_PrivateKeyPassword EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 4 EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 # You can control which version of the draft PEAP protocol to honour # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients, # such as Funk Odyssey Client 2.22 or later. For Funk Odyssey # version 4, use EAPTLS_PEAPVersion 1, # but set EAPTLS_PEAPBrokenV1Label below EAPTLS_PEAPVersion 1 # You can make PEAP Version 1 support compatible with # nonstandard PEAP V1 clients that use the old broken TLS encryption labels that # appear to be used frequently, due to Microsofts use of the incorrect # label in its V0 client. You should use this with Funk Odyssey # Client version 4 when EAPTLS_PEAPVersion is set to 1 EAPTLS_PEAPBrokenV1Label # Tell Radiator how to talk to the LDAP server Host AuthDN cn=directory manager AuthPassword # Add role from LDAP to the request via the AuthAttrDef AuthAttrDef description,Role,request AuthAttrDef loginShell,Shell,request AuthAttrDef uwoid,Uid,request BaseDN o=uwo.ca,dc=its UsernameAttr uid PasswordAttr userPassword # TTLSOUTER used to authenticate the outer TTLS anonymous userid via a flat file. # Note requires TTLS support # Only the userid is checked for for outer TTLS requests Identifier TTLSOUTER EAPType TTLS,PEAP,PAP Filename %D/users EAPTLS_CAFile %D/certificates/thawteCb.pem EAPTLS_CertificateFile %D/certificates/ EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/ EAPTLS_PrivateKeyPassword EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 4 EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 EAPTLS_PEAPVersion 1 EAPTLS_PEAPBrokenV1Label # PEAPOUTER is used to authenticate the inner TTLS credentials and outer PEAP credentials against LDAP # Note requires TTLS and PEAP support # Both userid and password are checking for inner TTLS requests # Only the userid is checked for for outer PEAP requests Identifier PEAPOUTER # No authentication performed - just establish a tunnel Filename /dev/null EAPType PEAP EAPTLS_CAFile %D/certificates/thawteCb.pem EAPTLS_CertificateFile %D/certificates/ EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/ EAPTLS_PrivateKeyPassword EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 9 EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 # You can control which version of the draft PEAP protocol to honour # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients, # such as Funk Odyssey Client 2.22 or later. For Funk Odyssey # version 4, use EAPTLS_PEAPVersion 1, # but set EAPTLS_PEAPBrokenV1Label below EAPTLS_PEAPVersion 1 # You can make PEAP Version 1 support compatible with # nonstandard PEAP V1 clients that use the old broken TLS encryption labels that # appear to be used frequently, due to Microsofts use of the incorrect # label in its V0 client. You should use this with Funk Odyssey # Client version 4 when EAPTLS_PEAPVersion is set to 1 EAPTLS_PEAPBrokenV1Label NoDefault # EDUROAM_FED # Proxies auth requests to the eduroam federation radius servers. # Provides it's own failover in the group authenticators section. Identifier EDUROAM_FED Retries 3 RetryTimeout 5 FailureBackoffTime 60 LocalAddress 129.100.74.18 # Moose.bc.net AuthPort 1812 AcctPort 1813 Secret # Grizzly.bc.net AuthPort 1812 AcctPort 1813 Secret # Handlers are processed sequentially - and first match applies AuthBy AccountingResponse #================================================================ # Inner PEAP handler - uses LSA to authenticate the real userid and password for PEAP # Handles both authenication checks and logging as mac is available. # The UwoLDAP check will fail but is used to pick up the LDAP role so it can be used in checks. AuthBy UwoLSANew PostAuthHook file:"%D/innerpeap.hook" # Inner TTLS handler uthentication for TTLS - uses LDAP to authenticate the real userid and password #Strip the realm - need to remove before ldap check RewriteUsername s/^([^@]+).*/$1/ AuthBy UwoLDAP PostAuthHook file:"%D/innerttls.hook" #================================================================ # Speical code for bigbrother - proxied from ramp servers AuthBy UwoLDAP # Outer handler for off campus OUTER PEAP authentication. Identifier ONCAMPUS_OUTERPEAP_UWO AuthBy EDUROAM_FED RewriteUsername s/^([^@]+).*/$1/ PostAuthHook file:"%D/eaplogger.hook" #======================================= # Use to handle requests from identfied Bluesocket gateways. AuthBy UwoLDAP #AuthBy BackupUwoLdap # Standard Western handlers - off campus - uwo.ca realm supplied #====================================== # OUTER handler for off campus OUTER TTLS authentication. TTLSOUTER used for TTLS as userid anonymous is used and is not in LDAP # The mac is not available in the innerttls request so logging is done in an outer hook as mac available then. Identifier OFFCAMPUS_OUTERTTLS_UWO AuthBy TTLSOUTER PostAuthHook file:"%D/eaplogger.hook" # Outer handler for off campus OUTER PEAP authentication. Identifier OFFCAMPUS_OUTERPEAP_UWO #RewriteUsername s/^([^@]+).*/$1/ AuthBy PEAPOUTER RewriteUsername s/^([^@]+).*/$1/ PostAuthHook file:"%D/eaplogger.hook" #======================================= # Standard Western handlers - on campus - uwo.ca realm supplied #====================================== # OUTER anonymous handler for OUTER TTLS authentication. TTLSOUTER used for TTLS as userid anonymous is used and is not in LDAP # The mac is not available in the innerttls request so logging is done in an outer hook as mac available then. Identifier ONCAMPUS_OUTERTTLS_UWO AuthBy TTLSOUTER PostAuthHook file:"%D/eaplogger.hook" # Outer default proxy handler for OUTER PEAP authentication. Identifier ONCAMPUS_OUTERPEAP_UWO #RewriteUsername s/^([^@]+).*/$1/ AuthBy PEAPOUTER RewriteUsername s/^([^@]+).*/$1/ PostAuthHook file:"%D/eaplogger.hook" #======================================= # Roaming non Western users - on campus - non uwo.ca realm supplied #====================================== # OUTER handler for all non Western eduraom users Identifier ONCAMPUS_EDUROAM_FED AuthBy EDUROAM_FED #PostAuthHook file:"%D/eaplogger.hook" #======================================= # Standard Western handlers - on campus - no realm supplied #====================================== # OUTER anonymous handler for OUTER TTLS authentication. TTLSOUTER used for TTLS as userid anonymous is used and is not in LDAP # The mac is not available in the innerttls request so logging is done in an outer hook as mac available then. Identifier ONCAMPUS_OUTERTTLS AuthBy TTLSOUTER PostAuthHook file:"%D/eaplogger.hook" # Outer default proxy handler for OUTER PEAP authentication. Identifier ONCAMPUS_OUTERPEAP AuthBy PEAPOUTER RewriteUsername s/^([^@]+).*/$1/ PostAuthHook file:"%D/eaplogger.hook" #======================================= # Speical code for bigbrother AuthBy TTLSOUTER