I'm trying to instruct our freeradius to check some inconsistences between inner and outer parameters involved in EAP-TTLS and EAP-PEAP authentication of wireless users.
If the return attributes are based in outer identity the system can be fooled by using a valid inner identity and obtaining privileges of another user (sent as outer identity). If the return attributes are based in inner identity, because not all the states of EAP authentication involves inner phase, only in the phases that involves inner EAP the correct attributes are returned and as an example, the user isn't correctly mapped in his correct VLAN. How can I validate if the same Realm is used in inner and outer User-Name ? How can I pass variables (attributes) between inner and outer phases ? How can I maintain some context of the authentications in progress so that I can sent the correct parameters in phases that didn't involve inner auth and I can't trust in the outer identity ? TIA. -- Best regards, PedroRibeiro mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
