PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity

Phil Mayers p.mayers at imperial.ac.uk
Wed Feb 20 00:52:13 CET 2008 

Gong Cheng wrote:
> Hi folks,
>      I am working on an issue like this:
> 
> In my users file, I have
> 
> user1
>      attribute1=val1
> 
> user2
>      attribute2=val2
> 
> DEFAULT
>      attribute1=def_val1
>      attribute2=def_val2
> 
> 
> 
> My intention is that 
> - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries,
> - and for everybody else, I will get a default set of attributes.
> 
> That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say "anonymous", is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. 
> 
> So, for example, user1 will get 
> 
> attribute1=def_val1
> attribute2=def_val2
> attribute1=val1
> 
> Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS?
> 
> A naive solution is to put a check of 
> DEFAULT User-Name != "anonymous"

Normally one would do this:

modules {
   files { ... }
   # define a 2nd copy of the module
   files files_inner { ... }
}
authorize {
   preprocess
   eap
   files
   Autz-Type INNER {
     files_inner
   }
}

Then in "users":

DEFAULT	Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER

Then in "users_inner" (or whatever you call it) put your actual user 
info. This is also helpful if you're doing LDAP or SQL lookups (or any 
other expensive operation)

In FreeRadius 2 you can accomplish the same thing by sending the inner 
request to a different virtual server and putting the files module 
there; see raddb/sites-available/inner-tunnel and the "virtual_server" 
option in raddb/eap ttls/peap sections.

This will

> ....
> 
> but it is not a reliable way since there is no guarantee that the outer id is "anonymous".
> 
> I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this?
> 
> thanks!
> 
> -gong
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list