InnerAttributes not escaped when transmitted to outter

Alan DeKok aland at deployingradius.com
Tue Jun 2 11:01:53 CEST 2009


A.L.M.Buxey at lboro.ac.uk wrote:
> does this fix mean that TTLS and PEAP get the inner identity copied
> correctly so there is no more need for
> 
>         update outer.reply {
>                 User-Name = "%{User-Name}"
>         }

  That's still needed.  The question is what do you want the server to
do.  Always over-ride the outer name with the inner one?  If so, why is
the outer one "anonymous", and the inner one "user at realm"?

  i.e. "anonymous" is being used to hide the inner name... which
promptly gets exposed with that rule.  Is this a good idea?

  What else could be done to be secure, but also useful?

  Alan DeKok.



More information about the Freeradius-Users mailing list