Hi, I’m configuring TTLS+PAP and I have some doubts about how to hide users' identities. In the inner-tunnel file, I uncommented filter_inner_identity. I added the following to the /policy.d/filter file so that if the outer and inner usernames are the same, it rejects the request: if (&outer.request:User-Name == &User-Name) { update request { Module-Failure-Message = "Outer User-Name cannot be the same as inner User-Name" } reject } The configuration in the filter file rejects the request if the user doesn’t use the word “anon”, but if I use anonrprieto as the outer identity and rprieto as the inner identity, obviously it doesn’t reject it and the inner identity gets exposed. Is there any way to protect against this, or is it unnecessary? Alan, don’t scold me :) Thanks.
On Jun 11, 2025, at 3:46 PM, Rodrigo Prieto <rodrigoprieto2019@gmail.com> wrote:
Hi, I’m configuring TTLS+PAP and I have some doubts about how to hide users' identities.
Use "anonymous" for the outer identity, or if you're proving somewhere a domain name as @example.com
The configuration in the filter file rejects the request if the user doesn’t use the word “anon”, but if I use anonrprieto as the outer identity and rprieto as the inner identity, obviously it doesn’t reject it and the inner identity gets exposed.
So change the rule to check for "anomymous". The rules are text, and are editable.
Is there any way to protect against this, or is it unnecessary?
You decide if it's necessary. In general, this kind of filtering is most important when the packets are being proxied outside of your local network. If you're not proxying, it doesn't matter. Alan DeKok.
Thanks, Alan, for your help. El mié, 11 jun 2025 a las 17:11, Alan DeKok via Freeradius-Users (< freeradius-users@lists.freeradius.org>) escribió:
On Jun 11, 2025, at 3:46 PM, Rodrigo Prieto <rodrigoprieto2019@gmail.com> wrote:
Hi, I’m configuring TTLS+PAP and I have some doubts about how to hide users' identities.
Use "anonymous" for the outer identity, or if you're proving somewhere a domain name as @example.com
The configuration in the filter file rejects the request if the user doesn’t use the word “anon”, but if I use anonrprieto as the outer identity and rprieto as the inner identity, obviously it doesn’t reject it and the inner identity gets exposed.
So change the rule to check for "anomymous". The rules are text, and are editable.
Is there any way to protect against this, or is it unnecessary?
You decide if it's necessary.
In general, this kind of filtering is most important when the packets are being proxied outside of your local network. If you're not proxying, it doesn't matter.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Rodrigo Prieto