eap module returning 'updated' rather than 'ok'

Alan DeKok aland at deployingradius.com
Thu Oct 20 16:12:28 CEST 2016 

On Oct 20, 2016, at 9:33 AM, Brian Candler <b.candler at pobox.com> wrote:
> 
> I have an issue with inner versus outer identities. I can demonstrate this with the stock freeradius 3.0.12 config; just uncomment the "bob" and "steve" entries. I have also set "use_tunneled_reply = yes" in raddb/mods-available/eap (in both places)

  The inner and outer identities are largely unrelated.  I have an outline of an RFC which attempts to deal with this.

> Now I create a config for eapol_test (from wpa_supplicant package) like this:
> 
> ----
> 
> #
> #   eapol_test -c peap-mschapv2.conf -s testing123
> #
> network={
>        ssid="Cityfibre Admin"
>        key_mgmt=WPA-EAP
>        eap=PEAP
>        identity="bob"
>        anonymous_identity="steve"

  Those two identities don't have to be related in any way whatsoever.

> Note how I've chosen "steve" as the anonymous identity.

  "steve" isn't really an "anonymous" identity.  For a discussion of anonymous identities, see my RFC:

https://tools.ietf.org/html/rfc7542#section-2.4

>  What happens is that is in the second Access-Challenge response, steve's attributes are returned:

  Which is what you told it to do.

> It's clearly wrong to return steve's authorization attributes, since we've not authenticated at all (and certainly not as steve) - although since this only an Access-Challenge, hopefully the NAS will ignore them.  The EAP exchange does complete successfully.

  See the comments in the raddb/sites-available/default.  Look for "Access-Challenge".  The documentation describes the problem, and shows how to fix it.

> My other concern is that it does an unnecessary database lookup for "steve" - actually the live config which started this investigation is an LDAP one, which is how I noticed this.
> 
> Now, the default site has in its authorize section:
> 
>        eap {
>                ok = return
>        }
> 
> But at this step we're getting "updated". So it looks like it would be reasonable to change this to:
> 
>        eap {
>                ok = return
>                updated = return
>        }

  It depends.  Given the stable nature of 3.0, I'm inclined to leave it.

> ... and this does seem to work. But I wonder why it's done this way in the default config. Is this a mistake, or this there some subtle point I am missing?

  Other peoples systems may behave differently from yours.  So I'm inclined to leave the current configuration.

  We will be fixing all of this in v4.  Not by accident, but by design.

> Under what circumstances does rlm_eap return "updated" instead of "ok"? I want to be sure that there's no security impact by dropping out of the authorize section at this point, for example if someone uses a non-tunneled version of EAP like EAP-TLS or EAP-PWD.

  That's what tests are for.  The server comes with configuration files for eapol_test (see src/tests/eap*.conf).

  If it works for you, use it.

  Alan DeKok.

More information about the Freeradius-Users mailing list