Filtering RADIUS request to only allow EAP-TTLS in a proxying-only server?

Vincent Magnin Vincent.Magnin at unil.ch
Wed Sep 24 16:01:45 CEST 2008


Hello Peter,

Try to look at "attr_filter" section and configure it as you wishes:

In your radiusd.conf:
> attr_filter attr_filter.post-proxy {
>       attrsfile = ${some path}/attrs.post-proxy
> }

This file may contains similar information:
> DEFAULT
>         User-Name =* ANY,
>         Reply-Message =* ANY,
>         State =* ANY,
>         Class =* ANY,
>         Message-Authenticator =* ANY,
>         Calling-Station-ID =* ANY,
>         Proxy-State =* ANY,
>         EAP-Message =* ANY,
>         MS-MPPE-Recv-Key =* ANY,
>         MS-MPPE-Send-Key =* ANY,
>         MS-CHAP-MPPE-Keys =* ANY

State and EAP-Message are needed for EAP.
User-Name is for proxying to the right destination.

If you do not put "User-Password" in this file, you will have this  
argument removed.

Some institition will do PEAP instead of EAP-TTLS. It's most likely a  
bad idea to do processing on EAP-Message.

Regards,

Vincent

Peter Eriksson <peter at ifm.liu.se> a écrit :

> One thing I'd like to achive in the "EDUROAM"-responsible RADIUS
> "router" (server) is to make sure that *only* EAP-TTLS requests are
> forwarded to the RADIUS server doing the real user authentication.
>
> Anyone got something already configured that I could copy?
>
> Ie, I would like to make sure that it will reject requests that
> come in from the outside with user+password stuff sent in cleartext.
>
> (And also make sure itself won't send out such requests).




More information about the Freeradius-Users mailing list