Trying to wrap my head around FreeRadius config

Phil Mayers p.mayers at
Wed Jul 20 10:53:27 CEST 2011

On 07/20/2011 03:28 AM, Moe, John wrote:

>> There are various others, but those are the main ones.
> So then, when matching an entry in "users", does it look at the request
> items, or the config items?  When creating an entry, you specify first
> things to match against on one line separated by commas, and then reply
> items, each on its own line, separated by commas.  Those things to match
> against, do they match the request items or the config items?  I'm
> trying to understand the difference between request and config.

Well, I thought my example had covered this, but I guess not.

The 1st line can contain comparison and set operators e.g.

DEFAULT	Attr1 == Value1, Attr2 := Value2
	Attr3 = Value3

Comparisons are made against the "request" pairs. If everything on the 
1st line matches ("set" operations are considered to always match i.e. 
skipped) then:

  * any non-comparison (i.e. set) operations from the 1st line are 
copied into the config pair list
  * 2nd and subsequent lines are copied to the reply pair list

So, the example above says:

  * if
    * request:Attr1 == Value1, and
    * <noop, because := is a set operator>
  * then
    * set config:Attr2 := Value2
    * set reply:Attr3 := Value3

> ... I think I'm going to need to re-read this a few times and play with
> it on my server to fully get this part. I thought TLS was only one
> mechanism within PEAP that it could use; another, for example, is

No, you've misunderstood how it works I'm afraid.

The various EAP methods are complex; by all means put effort into 
understanding them if it interests you, but take it from me: it might 
not be as rewarding or useful as you'd hope.

> MSCHAPv2 (which is what I'm going to be using).  Or does it use TLS on
> the PEAP portion to set up the outer tunnel, regardless of what's used
> inside?

PEAP *is* TLS. It's exactly the same protocol as EAP-TLS (i.e. a simple 
layering of TLS over EAP) except for the following:

  * EAP number is different
  * Once the TLS session is setup, additional "inner" data is sent over 

More information about the Freeradius-Users mailing list