Filtering RADIUS request to only allow EAP-TTLS in a proxying-only server?
One thing I'd like to achive in the "EDUROAM"-responsible RADIUS "router" (server) is to make sure that *only* EAP-TTLS requests are forwarded to the RADIUS server doing the real user authentication. Anyone got something already configured that I could copy? Ie, I would like to make sure that it will reject requests that come in from the outside with user+password stuff sent in cleartext. (And also make sure itself won't send out such requests). - Peter
Hello Peter, Try to look at "attr_filter" section and configure it as you wishes: In your radiusd.conf:
attr_filter attr_filter.post-proxy { attrsfile = ${some path}/attrs.post-proxy }
This file may contains similar information:
DEFAULT User-Name =* ANY, Reply-Message =* ANY, State =* ANY, Class =* ANY, Message-Authenticator =* ANY, Calling-Station-ID =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY
State and EAP-Message are needed for EAP. User-Name is for proxying to the right destination. If you do not put "User-Password" in this file, you will have this argument removed. Some institition will do PEAP instead of EAP-TTLS. It's most likely a bad idea to do processing on EAP-Message. Regards, Vincent Peter Eriksson <peter@ifm.liu.se> a écrit :
One thing I'd like to achive in the "EDUROAM"-responsible RADIUS "router" (server) is to make sure that *only* EAP-TTLS requests are forwarded to the RADIUS server doing the real user authentication.
Anyone got something already configured that I could copy?
Ie, I would like to make sure that it will reject requests that come in from the outside with user+password stuff sent in cleartext.
(And also make sure itself won't send out such requests).
Use unlang to check that freeradius.internal attribute EAP-Type has value EAP-TTLS. Ivan Kalik Kalik Informatika ISP Dana 24/9/2008, "Peter Eriksson" <peter@ifm.liu.se> piše:
One thing I'd like to achive in the "EDUROAM"-responsible RADIUS "router" (server) is to make sure that *only* EAP-TTLS requests are forwarded to the RADIUS server doing the real user authentication.
Anyone got something already configured that I could copy?
Ie, I would like to make sure that it will reject requests that come in from the outside with user+password stuff sent in cleartext.
(And also make sure itself won't send out such requests).
- Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Ie, I would like to make sure that it will reject requests that come in from the outside with user+password stuff sent in cleartext.
such requests will be missing many attributes. use unlang to check for the absence of those. alan
Hi,
One thing I'd like to achive in the "EDUROAM"-responsible RADIUS "router" (server) is to make sure that *only* EAP-TTLS requests are forwarded to the RADIUS server doing the real user authentication.
the inner, or the whole request? if only the inner, then please note that this will break new EAP RFCs
Ie, I would like to make sure that it will reject requests that come in from the outside with user+password stuff sent in cleartext.
(And also make sure itself won't send out such requests). ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
visitors to your site might be using any type of EAP - thats down to their home site...so you'll have to let all EAP out..once again, as previous answer, in plain user/auth, there are many fields missing... but what kit at your site would even be attempting a plain user/pass login? alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Peter Eriksson -
tnt@kalik.net -
Vincent Magnin