PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Gong Cheng
chengg11 at yahoo.com
Wed Feb 20 01:42:39 CET 2008
I found myself not knowing how to reply directly from the post, but here is a thank you to Ivan and Phil, that works for me!
thanks.
-gong
----- Original Message ----
From: Gong Cheng <chengg11 at yahoo.com>
To: freeradius-users at lists.freeradius.org
Sent: Tuesday, February 19, 2008 3:14:13 PM
Subject: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Hi folks,
I am working on an issue like this:
In my users file, I have
user1
attribute1=val1
user2
attribute2=val2
DEFAULT
attribute1=def_val1
attribute2=def_val2
My intention is that
- for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries,
- and for everybody else, I will get a default set of attributes.
That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say "anonymous", is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together.
So, for example, user1 will get
attribute1=def_val1
attribute2=def_val2
attribute1=val1
Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS?
A naive solution is to put a check of
DEFAULT User-Name != "anonymous"
....
but it is not a reliable way since there is no guarantee that the outer id is "anonymous".
I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this?
thanks!
-gong
More information about the Freeradius-Users
mailing list