filter_inner_identity
Rodrigo Prieto
rodrigoprieto2019 at gmail.com
Wed Jun 11 19:46:05 UTC 2025
Hi, I’m configuring TTLS+PAP and I have some doubts about how to hide
users' identities. In the inner-tunnel file, I uncommented
filter_inner_identity. I added the following to the /policy.d/filter file
so that if the outer and inner usernames are the same, it rejects the
request:
if (&outer.request:User-Name == &User-Name) {
update request {
Module-Failure-Message = "Outer User-Name cannot be the same as
inner User-Name"
}
reject
}
The configuration in the filter file rejects the request if the user
doesn’t use the word “anon”, but if I use anonrprieto as the outer identity
and rprieto as the inner identity, obviously it doesn’t reject it and the
inner identity gets exposed.
Is there any way to protect against this, or is it unnecessary?
Alan, don’t scold me :)
Thanks.
More information about the Freeradius-Users
mailing list