Hi, Brian Julin wrote:
freerad wrote:
This, however, doesn't seem to work as freeradius seems to drop the Airespace-Wlan-Id attribute while processing the request. As can be seen in the debug trace (debug_fail.txt), the user is being matched at first ([files] users: Matched entry test1 at line 173) but isn't found later on.
Copy your outer attributes into the inner tunnel. Unless you do that all you get is a few attributes mapped from the PEAP session into a fake RADIUS request. If you uncomment "copy_request_to_tunnel = yes" in the eap-peap submodule config section, FreeRADIUS will also add the attributes from the outer request to this fake request. If you need to also send attributes back from
That did it. I was mistaken as to what copy_request_to_tunnel did, thinking it was only relevant when using the inner-tunnel virtual server.
Note that by running both your outer and inner tunnels through the same users file, you are matching the outer username in the users file unless you filter on "FreeRadius-Proxied-To == 127.0.0.1" or whatnot. Even Windows clients allow you to change the outer user ID (in fact it is *encouraged* to use "anonymous" or such in the outer request), and that outer username is not checked against a password, so you want to be really careful here only to make decisions based on the inner tunnel username. When you use copy_request_to_tunnel, it will use the PEAP username, and will not overwrite the User-Name attribute with the one from the outer request.
So what you're saying is, an attacker could use an outer ID to have freeradius supply different/additional attributes in its reply? As I'm using reply attributes to place users into VLANs I can see where this could lead to security issues. I guess I should look into the inner-tunnel virtual server again and disable the users module on the default server. regards, Bodo -- Bodo Bellut bodo@bellut.net | USE PGP! +-----------+ Stangefolstr. 17 Fax/Mobile: just ask | (key via server |\ O---m /| 44141 Dortmund Fon: +49-700-77-BELLUT | or on request) |/---------\| PGP: 768/FA18A639 AE 5A 47 40 5A A0 D6 15 8E 54 44 AA 8D DD 6E BD+-----------+