How to determine the type of request? (EAP or not EAP)
I have virtual site, that works with both EAP and not EAP request. In general case the main field, that used to query database or other storage is Username. EAP request usually has two identity anonymous and real. If user put in anonymous identity real username, that exists in database or users file. It can lead (in my case) to unexpected behavior. For example redirect request to home server. To handle this situation I added in "outer" virtual site the if clause like this authorize { chap mschap if (!&EAP-Message) { ... code that will be executed only for not EAP requests ... } eap pap } Is it safe to assume what all EAP request will have internal/real identity? Is there exists other better way to detect, (EAP request) what this Username is anonymous identity?
On 1 May 2018, at 10:37, work vlpl <thework.vlpl@gmail.com> wrote:
Is there exists other better way to detect, (EAP request) what this Username is anonymous identity?
Sure, that should work. You could also do the work in the inner-tunnel virtual server - if it gets that far it's guaranteed to be EAP. You can pass stuff back to the outer from the inner by using something like: update outer.reply { &Attribute = "foobar" } Have a look at the update section of https://freeradius.org/radiusd/man/unlang.html Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On May 1, 2018, at 5:37 AM, work vlpl <thework.vlpl@gmail.com> wrote:
I have virtual site, that works with both EAP and not EAP request.
One simple way to deal with the different requests is different virtual servers. That's what they are for, after all.
In general case the main field, that used to query database or other storage is Username. EAP request usually has two identity anonymous and real. If user put in anonymous identity real username, that exists in database or users file. It can lead (in my case) to unexpected behavior. For example redirect request to home server.
It's behaviour you have to deal with and address. Users will do "inventive" things.
To handle this situation I added in "outer" virtual site the if clause like this
That will work. Or, run different virtual servers. :)
Is it safe to assume what all EAP request will have internal/real identity?
No. EAP-MD5 doesn't have an inner identity for example. EAP-TLS can be used without inner identities. PEAP and TTLS will always have inner identities.
Is there exists other better way to detect, (EAP request) what this Username is anonymous identity?
The answer depends on what you want to do... - forbid proxying of PEAP and TTLS? authorize { ... eap if ((control:Proxy-To-Realm && ((EAP-Type == PEAP) || (EAP-Type == TTLS)) { reject } ... } - require "anonymous" as outer User-Name: authorize { ... eap if ((User-Name != "anonymous") && ((EAP-Type == PEAP) || (EAP-Type == TTLS)) { reject } ... } But the simplest thing is to use multiple virtual servers. Then, don't put proxying into the one that does EAP. See raddb/sites-available/README for lots of examples. Alan DeKok.
participants (3)
-
Adam Bishop -
Alan DeKok -
work vlpl