PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say "anonymous", is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != "anonymous" .... but it is not a reliable way since there is no guarantee that the outer id is "anonymous". I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong
Gong Cheng wrote:
Hi folks, I am working on an issue like this:
In my users file, I have
user1 attribute1=val1
user2 attribute2=val2
DEFAULT attribute1=def_val1 attribute2=def_val2
My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes.
That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say "anonymous", is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together.
So, for example, user1 will get
attribute1=def_val1 attribute2=def_val2 attribute1=val1
Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS?
A naive solution is to put a check of DEFAULT User-Name != "anonymous"
Normally one would do this: modules { files { ... } # define a 2nd copy of the module files files_inner { ... } } authorize { preprocess eap files Autz-Type INNER { files_inner } } Then in "users": DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER Then in "users_inner" (or whatever you call it) put your actual user info. This is also helpful if you're doing LDAP or SQL lookups (or any other expensive operation) In FreeRadius 2 you can accomplish the same thing by sending the inner request to a different virtual server and putting the files module there; see raddb/sites-available/inner-tunnel and the "virtual_server" option in raddb/eap ttls/peap sections. This will
....
but it is not a reliable way since there is no guarantee that the outer id is "anonymous".
I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this?
thanks!
-gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add FreeRADIUS-Proxied-To == 127.0.0.1 as a check item. Ivan Kalik Kalik informatika ISP Dana 19/2/2008, "Gong Cheng" <chengg11@yahoo.com> piše:
Hi folks, I am working on an issue like this:
In my users file, I have
user1 attribute1=val1
user2 attribute2=val2
DEFAULT attribute1=def_val1 attribute2=def_val2
My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes.
That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say "anonymous", is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together.
So, for example, user1 will get
attribute1=def_val1 attribute2=def_val2 attribute1=val1
Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS?
A naive solution is to put a check of DEFAULT User-Name != "anonymous" .....
but it is not a reliable way since there is no guarantee that the outer id is "anonymous".
I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this?
thanks!
-gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Gong Cheng -
Ivan Kalik -
Phil Mayers