Tom Yard <tomyyard@gmail.com> wrote:
2) I can't understand this comment from you: "but why are you running ldap in the outer phase?" Can you explain to me in more detail please ???
The inner tunnel server happens inside the TLS crypto tunnel. You should do LDAP there. User-Name in the outer (default) server is untrustworthy data which should only be used for routing requests around relays. For example, people can lie about their usernames, putting one username in the outer envelope and a different username inside the TLS tunnel. Only trust the one that you get in inner-tunnel. To be more exact, you can trust most fields in the outer server ("default")... anything that your NAS adds to the RADIUS packet can be trusted, assuming your backbone is secure of course. But the NAS just passes User-Name along untouched. If you are just using LDAP to accept/reject then this is easy. If you are using it to choose VLANs, then you have to leak the VLAN choice out of the inner tunnel server to the outer server, so it can tell the NAS in cleartext.