EAP-PEAP drops attributes

Brian Julin BJulin at clarku.edu
Sun Feb 23 03:12:55 CET 2014


freerad wrote:
> This, however, doesn't seem to work as freeradius seems to drop the
> Airespace-Wlan-Id attribute while processing the request. As can be seen
> in the debug trace (debug_fail.txt), the user is being matched at first
> ([files] users: Matched entry test1 at line 173) but isn't found later on.

Copy your outer attributes into the inner tunnel.  Unless you do that all you
get is a few attributes mapped from the PEAP session into a fake RADIUS
request.  If you uncomment "copy_request_to_tunnel = yes" in the eap-peap
submodule config section, FreeRADIUS will also add the attributes from the
outer request to this fake request.  If you need to also send attributes back from
the inner authentication, also activate use_tunneled_reply but be warned that
this will drop information outside of the cryptographic tunnel, so ensure
your communication channel between FreeRADIUS and the NAS is secured
against eavesdropping, and watch your WLC logs for problems that might
occur when the username changes in some software revs.  You can
avoid doing this by only setting outer reply attributes in post-auth.

Note that by running both your outer and inner tunnels through the same
users file, you are matching the outer username in the users file unless
you filter on "FreeRadius-Proxied-To == 127.0.0.1" or whatnot.  Even
Windows clients allow you to change the outer user ID (in fact it is
*encouraged* to use "anonymous" or such in the outer request), and that
outer username is not checked against a password, so you want to be
really careful here only to make decisions based on the inner tunnel
username.  When you use  copy_request_to_tunnel, it will use the
PEAP username, and will not overwrite the User-Name attribute with
the one from the outer request.

Another way attributes can disappear is if you are filtering them with one of 
the attrs.* files, so if it still does not work after trying that, make sure the
Airespace-Wlan-Id is allowed in those files.


More information about the Freeradius-Users mailing list