John Allman allmanj at cp.dias.ie
Thu Jul 6 18:56:47 CEST 2006

A.L.M.Buxey at lboro.ac.uk wrote:

> "captive portal" - there are several software tools that will do this...
> eg http://en.wikipedia.org/wiki/Captive_portal
> most people seem to be moving away from this method as it is riddled with
> possible security compromises.

Thanks for the heads-up. I'll take a look at it, but keep in mind the
possible security implications (i'll google).

> PAP uses clear text (unencrypted) password authentication. whilst
> the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted
> session) when you CAN see the PAP in the clear is when its being sent
> over to LDAP - so you need to make sure that that communication is
> encrpyted...either by making sure its configured to use SSL for its
> communication channel...or simply 'stunnel'ing the traffic.

>> 		start_tls = no
>                  ^^^^^^^^^^^^^^
> this!

As mentioned in my reponse to Stefan, this is not a concern for me as
they're on the same host communicating exclusively over the loopback

On a side-note, I've now noticed that radius doesn't appear to be
respecting my ldap filter. base_filter = "(objectclass=radiusprofile)"
but i can authenticate as a user without a radiusprofile attribute.




More information about the Freeradius-Users mailing list