How to determine the type of request? (EAP or not EAP)

Alan DeKok aland at deployingradius.com
Tue May 1 14:56:22 CEST 2018


On May 1, 2018, at 5:37 AM, work vlpl <thework.vlpl at gmail.com> wrote:
> 
> I have virtual site, that works with both EAP and not EAP request.

  One simple way to deal with the different requests is different virtual servers.  That's what they are for, after all.

> In
> general case the main field, that used to query database or other storage
> is Username.
> EAP request usually has two identity anonymous and real. If user put in
> anonymous identity real username, that exists in database or users file. It
> can lead (in my case) to unexpected behavior. For example redirect request
> to home server.

  It's behaviour you have to deal with and address.  Users will do "inventive" things.

> To handle this situation I added in "outer" virtual site the if clause like
> this

  That will work.  Or, run different virtual servers. :)

> Is it safe to assume what all EAP request will have internal/real identity?

  No.  EAP-MD5 doesn't have an inner identity for example.  EAP-TLS can be used without inner identities.

  PEAP and TTLS will always have inner identities.

> Is there exists other better way to detect, (EAP request) what this
> Username is anonymous identity?

  The answer depends on what you want to do...

- forbid proxying of PEAP and TTLS?

authorize {
	...
	eap
	if ((control:Proxy-To-Realm && ((EAP-Type == PEAP) || (EAP-Type == TTLS)) {
		reject
	}
	...
}

- require "anonymous" as outer User-Name:

authorize {
	...
	eap
	if ((User-Name != "anonymous") && ((EAP-Type == PEAP) || (EAP-Type == TTLS)) {
		reject
	}
	...
}

  But the simplest thing is to use multiple virtual servers.  Then, don't put proxying into the one that does EAP.

  See raddb/sites-available/README for lots of examples.

  Alan DeKok.




More information about the Freeradius-Users mailing list