EAP-TLS User-Name not matching

Alan DeKok aland at deployingradius.com
Mon Jan 18 07:53:58 CET 2010


Huckle Berry wrote:
> This was beginning to occur to me. Initially I ignored proxy.conf
> because i figured I would never need to proxy anything, but I now see FR
> proxies to itself...

  It treats the inner tunnel session as a (largely) independent RADIUS
request.  This makes server design && configuration easier.  It also
means that FreeRADIUS has capabilities that other RADIUS servers don't have.

> OK, I just tested this and it resulted in me DoS myself as the request
> bounced back and forth between 127.0.0.1 and 192.168.1.3. This happened
> both with my eap.conf and the default eap.conf. Something about there
> being 200+ Proxy-State attributes.

  So... don't do that.  That proxy loop is *not* in the default
configuration.  It only happens when you try to force proxying for a
realm to loop back to the server.

  Why would this *ever* be a good idea?

>     2) in users file you include the details for the user 'user'  eg
> 
>     user Cleartext-Password := "password"
> 
> 
> I'm using Certificate based authentication, with myself as the CA, so no
> password should be needed correct? Or is the Password used to sign the
> cert needed here?

  No.  You don't need a password.

  Alan DeKok.



More information about the Freeradius-Users mailing list