eap module returning 'updated' rather than 'ok'

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Oct 20 19:08:11 CEST 2016


> Exactly. So I'm intentionally demonstrating the case where they are
> different; a potential attacker can choose whichever outer identity
> they like.

DONT trust the outerId. never base policy decisions on the outerID
(in our case the policy is in the users file...and your server
is using the 'files' module in the outer phase.

> Yes I know. An attacker can choose whichever identity they like.
> Even the stock Android client lets you enter whichever "anonymous"
> identity you like; no special tools required.

this is all rather known about and old. the outerID is fake. never trust it. 
(see above)

> It's what the default config tells it to do. I was surprised. It
> does not seem like desirable default behaviour: specifically, an
> unauthorized user being able to generate RADIUS reply attributes
> which belong to some other user.

this is down to a sites policy. no server I know of uses the default
users file as shipped.....

> But I see this behaviour with the current sample configuration which
> is supplied with freeradius 3.0.12.

and 2.2 and 1.1.3 and 0.9


More information about the Freeradius-Users mailing list