InnerAttributes not escaped when transmitted to outter

Stun Box stunbox at gmail.com
Tue Jun 2 11:23:54 CEST 2009


I set in copy_tunnel_reply to yes and I use the inner-tunnel user-name
in my default / post-auth.

And I still have the real user-name hidden.

In default / post-auth :

 update reply{
                User-Name := "%{request:User-Name}"
                Tunnel-Medium-Type = 6
                Tunnel-Type = 13
                Tunnel-Private-Group-Id =
`/usr/local/etc/raddb/getVlan %{reply:User-Name}`
        }


It will now work nicely with your fix. Thanks




2009/6/2 Alan DeKok <aland at deployingradius.com>:
> A.L.M.Buxey at lboro.ac.uk wrote:
>> does this fix mean that TTLS and PEAP get the inner identity copied
>> correctly so there is no more need for
>>
>>         update outer.reply {
>>                 User-Name = "%{User-Name}"
>>         }
>
>  That's still needed.  The question is what do you want the server to
> do.  Always over-ride the outer name with the inner one?  If so, why is
> the outer one "anonymous", and the inner one "user at realm"?
>
>  i.e. "anonymous" is being used to hide the inner name... which
> promptly gets exposed with that rule.  Is this a good idea?
>
>  What else could be done to be secure, but also useful?
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list