EAP-PEAP drops attributes
Alan DeKok
aland at deployingradius.com
Sun Feb 23 16:47:53 CET 2014
freerad at spambin.de wrote:
> That did it. I was mistaken as to what copy_request_to_tunnel did,
> thinking it was only relevant when using the inner-tunnel virtual server.
copy_request_to_tunnel is about copying attributes to the inner tunnel
part of the PEAP authentication method. It has nothing to do with the
inner-tunnel virtual server.
> So what you're saying is, an attacker could use an outer ID to have freeradius
> supply different/additional attributes in its reply?
If you've configured your policies that way.
> As I'm using reply attributes to place users into VLANs I can see where
> this could lead to security issues.
> I guess I should look into the inner-tunnel virtual server again and
> disable the users module on the default server.
The default configuration includes the inner-tunnel virtual server for
a reason. We STRONGLY suggest you use it.
Alan DeKok.
More information about the Freeradius-Users
mailing list