EAP-TLS User-Name not matching
Alan DeKok
aland at deployingradius.com
Mon Jan 18 07:53:58 CET 2010
Huckle Berry wrote:
> This was beginning to occur to me. Initially I ignored proxy.conf
> because i figured I would never need to proxy anything, but I now see FR
> proxies to itself...
It treats the inner tunnel session as a (largely) independent RADIUS
request. This makes server design && configuration easier. It also
means that FreeRADIUS has capabilities that other RADIUS servers don't have.
> OK, I just tested this and it resulted in me DoS myself as the request
> bounced back and forth between 127.0.0.1 and 192.168.1.3. This happened
> both with my eap.conf and the default eap.conf. Something about there
> being 200+ Proxy-State attributes.
So... don't do that. That proxy loop is *not* in the default
configuration. It only happens when you try to force proxying for a
realm to loop back to the server.
Why would this *ever* be a good idea?
> 2) in users file you include the details for the user 'user' eg
>
> user Cleartext-Password := "password"
>
>
> I'm using Certificate based authentication, with myself as the CA, so no
> password should be needed correct? Or is the Password used to sign the
> cert needed here?
No. You don't need a password.
Alan DeKok.
More information about the Freeradius-Users
mailing list