inner/outer authentication problem in 2.0.2
Hello all, Iam using freeradius 2.0.2 version with TTLS/MSCHAPv2 I have two users in configuration tmpuser -> tmpgroup emp1 -> employee Iam using "tmpuser" in outer authentication and "emp1" in inner authentication. I have eap.conf file configured with ttls { copy_request_to_tunnel = yes use_tunneled_reply = yes } But when I login successfully freeradius is always applying policy from "tmpgroup" which belongs to the user used in outer authentication. But it is supposed to apply policy from employee group as I have used "employee" in inner authentication. Could anybody let me know if this is a bug with freeradius or my configuration is wrong. Thanks in advance Regards gnreddy
Why do you apply any policies to the outer identity? Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, "Gopinath Reddy N" <gnreddy@gmail.com> piše:
Hello all,
Iam using freeradius 2.0.2 version with TTLS/MSCHAPv2
I have two users in configuration
tmpuser -> tmpgroup emp1 -> employee
Iam using "tmpuser" in outer authentication and "emp1" in inner authentication. I have eap.conf file configured with
ttls { copy_request_to_tunnel = yes use_tunneled_reply = yes } But when I login successfully freeradius is always applying policy from "tmpgroup" which belongs to the user used in outer authentication. But it is supposed to apply policy from employee group as I have used "employee" in inner authentication.
Could anybody let me know if this is a bug with freeradius or my configuration is wrong.
Thanks in advance
Regards gnreddy
Hi, Iam planning to send some Vendor Specific attributes to the user based on inner authentication. But by way of hack if user knows some other valid user name in the system he can use that as outer identity and get the policy setting of that user. So to avoid that Iam just thinking is there a way I can come out of this situation in freeradius Regards gnreddy 2008/6/11 Ivan Kalik <tnt@kalik.net>:
Why do you apply any policies to the outer identity?
Ivan Kalik Kalik Informatika ISP
Dana 11/6/2008, "Gopinath Reddy N" <gnreddy@gmail.com> piše:
Hello all,
Iam using freeradius 2.0.2 version with TTLS/MSCHAPv2
I have two users in configuration
tmpuser -> tmpgroup emp1 -> employee
Iam using "tmpuser" in outer authentication and "emp1" in inner authentication. I have eap.conf file configured with
ttls { copy_request_to_tunnel = yes use_tunneled_reply = yes } But when I login successfully freeradius is always applying policy from "tmpgroup" which belongs to the user used in outer authentication. But it is supposed to apply policy from employee group as I have used "employee" in inner authentication.
Could anybody let me know if this is a bug with freeradius or my configuration is wrong.
Thanks in advance
Regards gnreddy
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Gopinath Reddy N wrote:
But by way of hack if user knows some other valid user name in the system he can use that as outer identity and get the policy setting of that user. So to avoid that Iam just thinking is there a way I can come out of this situation in freeradius
Yes. That's why the inner and outer sessions are in different virtual servers. Put the policy into the virtual server for the inner tunnel, and not for the outer session. Alan DeKok.
Thanks Alan. This works. On Thu, Jun 12, 2008 at 11:02 AM, Alan DeKok <aland@deployingradius.com> wrote:
Gopinath Reddy N wrote:
But by way of hack if user knows some other valid user name in the system he can use that as outer identity and get the policy setting of that user. So to avoid that Iam just thinking is there a way I can come out of this situation in freeradius
Yes. That's why the inner and outer sessions are in different virtual servers. Put the policy into the virtual server for the inner tunnel, and not for the outer session.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Gopinath Reddy N -
Ivan Kalik