EAP-PEAP drops attributes

Brian Julin BJulin at clarku.edu
Sun Feb 23 16:33:08 CET 2014

> freerad wrote:
> So what you're saying is, an attacker could use an outer ID to have freeradius
> supply different/additional attributes in its reply?

Yes.  And that non-attackers would do this too if they were following best practices,
because they would be setting their outer usernames to something anonymous.
In fact there used to be WIndows WLAN card drivers that put strange values in the outer
username with no way to configure it.

> I guess I should look into the inner-tunnel virtual server again and
> disable the users module on the default server.

Probably; it's possible to do it all in the same virtual server, but it involves a
lot of manual configuration and the reasons to do it that way have been diminishing
as FreeRADIUS development progressed.

Once you build the mental model of the NAS<->FR conversation being the outer
RADIUS wrapper and the client<->FR conversation being the inner tunnel, emulated
into a RADIUS-like request, EAP inner methods make much more sense.

More information about the Freeradius-Users mailing list