On May 1, 2018, at 5:37 AM, work vlpl <thework.vlpl@gmail.com> wrote:
I have virtual site, that works with both EAP and not EAP request.
One simple way to deal with the different requests is different virtual servers. That's what they are for, after all.
In general case the main field, that used to query database or other storage is Username. EAP request usually has two identity anonymous and real. If user put in anonymous identity real username, that exists in database or users file. It can lead (in my case) to unexpected behavior. For example redirect request to home server.
It's behaviour you have to deal with and address. Users will do "inventive" things.
To handle this situation I added in "outer" virtual site the if clause like this
That will work. Or, run different virtual servers. :)
Is it safe to assume what all EAP request will have internal/real identity?
No. EAP-MD5 doesn't have an inner identity for example. EAP-TLS can be used without inner identities. PEAP and TTLS will always have inner identities.
Is there exists other better way to detect, (EAP request) what this Username is anonymous identity?
The answer depends on what you want to do... - forbid proxying of PEAP and TTLS? authorize { ... eap if ((control:Proxy-To-Realm && ((EAP-Type == PEAP) || (EAP-Type == TTLS)) { reject } ... } - require "anonymous" as outer User-Name: authorize { ... eap if ((User-Name != "anonymous") && ((EAP-Type == PEAP) || (EAP-Type == TTLS)) { reject } ... } But the simplest thing is to use multiple virtual servers. Then, don't put proxying into the one that does EAP. See raddb/sites-available/README for lots of examples. Alan DeKok.