EAP-PEAP drops attributes

Alan DeKok aland at deployingradius.com
Sun Feb 23 16:47:53 CET 2014

freerad at spambin.de wrote:
> That did it. I was mistaken as to what copy_request_to_tunnel did, 
> thinking it was only relevant when using the inner-tunnel virtual server.

  copy_request_to_tunnel is about copying attributes to the inner tunnel
part of the PEAP authentication method.  It has nothing to do with the
inner-tunnel virtual server.

> So what you're saying is, an attacker could use an outer ID to have freeradius
> supply different/additional attributes in its reply?

  If you've configured your policies that way.

> As I'm using reply attributes to place users into VLANs I can see where 
> this could lead to security issues.
> I guess I should look into the inner-tunnel virtual server again and 
> disable the users module on the default server.

  The default configuration includes the inner-tunnel virtual server for
a reason.  We STRONGLY suggest you use it.

  Alan DeKok.

More information about the Freeradius-Users mailing list