InnerAttributes not escaped when transmitted to outter
Stun Box
stunbox at gmail.com
Tue Jun 2 11:23:54 CEST 2009
I set in copy_tunnel_reply to yes and I use the inner-tunnel user-name
in my default / post-auth.
And I still have the real user-name hidden.
In default / post-auth :
update reply{
User-Name := "%{request:User-Name}"
Tunnel-Medium-Type = 6
Tunnel-Type = 13
Tunnel-Private-Group-Id =
`/usr/local/etc/raddb/getVlan %{reply:User-Name}`
}
It will now work nicely with your fix. Thanks
2009/6/2 Alan DeKok <aland at deployingradius.com>:
> A.L.M.Buxey at lboro.ac.uk wrote:
>> does this fix mean that TTLS and PEAP get the inner identity copied
>> correctly so there is no more need for
>>
>> update outer.reply {
>> User-Name = "%{User-Name}"
>> }
>
> That's still needed. The question is what do you want the server to
> do. Always over-ride the outer name with the inner one? If so, why is
> the outer one "anonymous", and the inner one "user at realm"?
>
> i.e. "anonymous" is being used to hide the inner name... which
> promptly gets exposed with that rule. Is this a good idea?
>
> What else could be done to be secure, but also useful?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list