EAP-PEAP drops attributes

freerad at spambin.de freerad at spambin.de
Sun Feb 23 16:13:30 CET 2014 

Hi,

Brian Julin wrote:
> freerad wrote:
> > This, however, doesn't seem to work as freeradius seems to drop the
> > Airespace-Wlan-Id attribute while processing the request. As can be seen
> > in the debug trace (debug_fail.txt), the user is being matched at first
> > ([files] users: Matched entry test1 at line 173) but isn't found later on.
> 
> Copy your outer attributes into the inner tunnel.  Unless you do that all you
> get is a few attributes mapped from the PEAP session into a fake RADIUS
> request.  If you uncomment "copy_request_to_tunnel = yes" in the eap-peap
> submodule config section, FreeRADIUS will also add the attributes from the
> outer request to this fake request.  If you need to also send attributes back from

That did it. I was mistaken as to what copy_request_to_tunnel did, 
thinking it was only relevant when using the inner-tunnel virtual server.

> Note that by running both your outer and inner tunnels through the same
> users file, you are matching the outer username in the users file unless
> you filter on "FreeRadius-Proxied-To == 127.0.0.1" or whatnot.  Even
> Windows clients allow you to change the outer user ID (in fact it is
> *encouraged* to use "anonymous" or such in the outer request), and that
> outer username is not checked against a password, so you want to be
> really careful here only to make decisions based on the inner tunnel
> username.  When you use  copy_request_to_tunnel, it will use the
> PEAP username, and will not overwrite the User-Name attribute with
> the one from the outer request.

So what you're saying is, an attacker could use an outer ID to have freeradius
supply different/additional attributes in its reply?
As I'm using reply attributes to place users into VLANs I can see where 
this could lead to security issues.
I guess I should look into the inner-tunnel virtual server again and 
disable the users module on the default server.

regards,
Bodo
-- 
Bodo Bellut          bodo at bellut.net         |     USE PGP!       +-----------+
Stangefolstr. 17     Fax/Mobile:   just ask  | (key via server    |\  O---m  /|
44141 Dortmund       Fon: +49-700-77-BELLUT  |  or on request)    |/---------\|
PGP: 768/FA18A639 AE 5A 47 40 5A A0 D6 15  8E 54 44 AA 8D DD 6E BD+-----------+

More information about the Freeradius-Users mailing list