Trying to wrap my head around FreeRadius config
p.mayers at imperial.ac.uk
Wed Jul 20 10:53:27 CEST 2011
On 07/20/2011 03:28 AM, Moe, John wrote:
>> There are various others, but those are the main ones.
> So then, when matching an entry in "users", does it look at the request
> items, or the config items? When creating an entry, you specify first
> things to match against on one line separated by commas, and then reply
> items, each on its own line, separated by commas. Those things to match
> against, do they match the request items or the config items? I'm
> trying to understand the difference between request and config.
Well, I thought my example had covered this, but I guess not.
The 1st line can contain comparison and set operators e.g.
DEFAULT Attr1 == Value1, Attr2 := Value2
Attr3 = Value3
Comparisons are made against the "request" pairs. If everything on the
1st line matches ("set" operations are considered to always match i.e.
* any non-comparison (i.e. set) operations from the 1st line are
copied into the config pair list
* 2nd and subsequent lines are copied to the reply pair list
So, the example above says:
* request:Attr1 == Value1, and
* <noop, because := is a set operator>
* set config:Attr2 := Value2
* set reply:Attr3 := Value3
> ... I think I'm going to need to re-read this a few times and play with
> it on my server to fully get this part. I thought TLS was only one
> mechanism within PEAP that it could use; another, for example, is
No, you've misunderstood how it works I'm afraid.
The various EAP methods are complex; by all means put effort into
understanding them if it interests you, but take it from me: it might
not be as rewarding or useful as you'd hope.
> MSCHAPv2 (which is what I'm going to be using). Or does it use TLS on
> the PEAP portion to set up the outer tunnel, regardless of what's used
PEAP *is* TLS. It's exactly the same protocol as EAP-TLS (i.e. a simple
layering of TLS over EAP) except for the following:
* EAP number is different
* Once the TLS session is setup, additional "inner" data is sent over
TLS e.g. EAP-MSCHAPv2
More information about the Freeradius-Users