PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity

Ivan Kalik tnt at kalik.net
Wed Feb 20 00:57:33 CET 2008


Add FreeRADIUS-Proxied-To == 127.0.0.1 as a check item.

Ivan Kalik
Kalik informatika ISP


Dana 19/2/2008, "Gong Cheng" <chengg11 at yahoo.com> piše:

>Hi folks,
>     I am working on an issue like this:
>
>In my users file, I have
>
>user1
>     attribute1=val1
>
>user2
>     attribute2=val2
>
>DEFAULT
>     attribute1=def_val1
>     attribute2=def_val2
>
>
>
>My intention is that
>- for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries,
>- and for everybody else, I will get a default set of attributes.
>
>That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say "anonymous", is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together.
>
>So, for example, user1 will get
>
>attribute1=def_val1
>attribute2=def_val2
>attribute1=val1
>
>Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS?
>
>A naive solution is to put a check of
>DEFAULT User-Name != "anonymous"
>.....
>
>but it is not a reliable way since there is no guarantee that the outer id is "anonymous".
>
>I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this?
>
>thanks!
>
>-gong
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list