Re: Trying to wrap my head around FreeRadius config

Wed, 20 Jul 2011 02:49:06 -0700 

On 07/20/2011 03:28 AM, Moe, John wrote:


There are various others, but those are the main ones.


So then, when matching an entry in "users", does it look at the request
items, or the config items?  When creating an entry, you specify first
things to match against on one line separated by commas, and then reply
items, each on its own line, separated by commas.  Those things to match
against, do they match the request items or the config items?  I'm
trying to understand the difference between request and config.


Well, I thought my example had covered this, but I guess not.

The 1st line can contain comparison and set operators e.g.

DEFAULT Attr1 == Value1, Attr2 := Value2
        Attr3 = Value3


Comparisons are made against the "request" pairs. If everything on the 
1st line matches ("set" operations are considered to always match i.e. 
skipped) then:



 * any non-comparison (i.e. set) operations from the 1st line are 
copied into the config pair list

 * 2nd and subsequent lines are copied to the reply pair list

So, the example above says:

 * if
   * request:Attr1 == Value1, and
   * <noop, because := is a set operator>
 * then
   * set config:Attr2 := Value2
   * set reply:Attr3 := Value3



... I think I'm going to need to re-read this a few times and play with
it on my server to fully get this part. I thought TLS was only one
mechanism within PEAP that it could use; another, for example, is


No, you've misunderstood how it works I'm afraid.


The various EAP methods are complex; by all means put effort into 
understanding them if it interests you, but take it from me: it might 
not be as rewarding or useful as you'd hope.



MSCHAPv2 (which is what I'm going to be using).  Or does it use TLS on
the PEAP portion to set up the outer tunnel, regardless of what's used
inside?



PEAP *is* TLS. It's exactly the same protocol as EAP-TLS (i.e. a simple 
layering of TLS over EAP) except for the following:


 * EAP number is different

 * Once the TLS session is setup, additional "inner" data is sent over 
TLS e.g. EAP-MSCHAPv2

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to