Filtering RADIUS request to only allow EAP-TTLS in a proxying-only server?
Vincent Magnin
Vincent.Magnin at unil.ch
Wed Sep 24 16:01:45 CEST 2008
Hello Peter,
Try to look at "attr_filter" section and configure it as you wishes:
In your radiusd.conf:
> attr_filter attr_filter.post-proxy {
> attrsfile = ${some path}/attrs.post-proxy
> }
This file may contains similar information:
> DEFAULT
> User-Name =* ANY,
> Reply-Message =* ANY,
> State =* ANY,
> Class =* ANY,
> Message-Authenticator =* ANY,
> Calling-Station-ID =* ANY,
> Proxy-State =* ANY,
> EAP-Message =* ANY,
> MS-MPPE-Recv-Key =* ANY,
> MS-MPPE-Send-Key =* ANY,
> MS-CHAP-MPPE-Keys =* ANY
State and EAP-Message are needed for EAP.
User-Name is for proxying to the right destination.
If you do not put "User-Password" in this file, you will have this
argument removed.
Some institition will do PEAP instead of EAP-TTLS. It's most likely a
bad idea to do processing on EAP-Message.
Regards,
Vincent
Peter Eriksson <peter at ifm.liu.se> a écrit :
> One thing I'd like to achive in the "EDUROAM"-responsible RADIUS
> "router" (server) is to make sure that *only* EAP-TTLS requests are
> forwarded to the RADIUS server doing the real user authentication.
>
> Anyone got something already configured that I could copy?
>
> Ie, I would like to make sure that it will reject requests that
> come in from the outside with user+password stuff sent in cleartext.
>
> (And also make sure itself won't send out such requests).
More information about the Freeradius-Users
mailing list