Attribute and Message Editing

Alan DeKok aland at ox.org
Thu Jun 30 23:48:21 CEST 2005


"Tahseen Hussain" <stud3080 at itu.dk> wrote:
> Is it possilbe to avoid attribute editing and message editing by using
> EAP-TTLS   or EAP-PEAP in a proxy environment?

  Yes.

> As far as I understton, In EAP-TTLS a tunnel is formed between a user and
> the TTLS server, now this TTLS server will forward the request to the
> proxy and proxy to the home radius server. So the threat here is from
> proxy, which can falsely edit attribute and messages.

  If the proxy terminates the TLS session.

> For example if home radius sever sends Accept-accept packet , it is
> possible that a proxy can change the same packet to Access-Reject
> (wantedly), so that the user will not be able to access visited network.

  Yes.

  Any proxy can do this, and there's nothing you can do to solve that
problem.

  Alan DeKok.




More information about the Freeradius-Users mailing list