EAP-PEAP drops attributes
freerad at spambin.de
freerad at spambin.de
Sun Feb 23 16:13:30 CET 2014
Brian Julin wrote:
> freerad wrote:
> > This, however, doesn't seem to work as freeradius seems to drop the
> > Airespace-Wlan-Id attribute while processing the request. As can be seen
> > in the debug trace (debug_fail.txt), the user is being matched at first
> > ([files] users: Matched entry test1 at line 173) but isn't found later on.
> Copy your outer attributes into the inner tunnel. Unless you do that all you
> get is a few attributes mapped from the PEAP session into a fake RADIUS
> request. If you uncomment "copy_request_to_tunnel = yes" in the eap-peap
> submodule config section, FreeRADIUS will also add the attributes from the
> outer request to this fake request. If you need to also send attributes back from
That did it. I was mistaken as to what copy_request_to_tunnel did,
thinking it was only relevant when using the inner-tunnel virtual server.
> Note that by running both your outer and inner tunnels through the same
> users file, you are matching the outer username in the users file unless
> you filter on "FreeRadius-Proxied-To == 127.0.0.1" or whatnot. Even
> Windows clients allow you to change the outer user ID (in fact it is
> *encouraged* to use "anonymous" or such in the outer request), and that
> outer username is not checked against a password, so you want to be
> really careful here only to make decisions based on the inner tunnel
> username. When you use copy_request_to_tunnel, it will use the
> PEAP username, and will not overwrite the User-Name attribute with
> the one from the outer request.
So what you're saying is, an attacker could use an outer ID to have freeradius
supply different/additional attributes in its reply?
As I'm using reply attributes to place users into VLANs I can see where
this could lead to security issues.
I guess I should look into the inner-tunnel virtual server again and
disable the users module on the default server.
Bodo Bellut bodo at bellut.net | USE PGP! +-----------+
Stangefolstr. 17 Fax/Mobile: just ask | (key via server |\ O---m /|
44141 Dortmund Fon: +49-700-77-BELLUT | or on request) |/---------\|
PGP: 768/FA18A639 AE 5A 47 40 5A A0 D6 15 8E 54 44 AA 8D DD 6E BD+-----------+
More information about the Freeradius-Users