freerad@spambin.de wrote:
That did it. I was mistaken as to what copy_request_to_tunnel did, thinking it was only relevant when using the inner-tunnel virtual server.
copy_request_to_tunnel is about copying attributes to the inner tunnel part of the PEAP authentication method. It has nothing to do with the inner-tunnel virtual server.
So what you're saying is, an attacker could use an outer ID to have freeradius supply different/additional attributes in its reply?
If you've configured your policies that way.
As I'm using reply attributes to place users into VLANs I can see where this could lead to security issues. I guess I should look into the inner-tunnel virtual server again and disable the users module on the default server.
The default configuration includes the inner-tunnel virtual server for a reason. We STRONGLY suggest you use it. Alan DeKok.