On Mon, Jul 30, 2012 at 11:47 AM, Mark Selby <mselby@knewton.com> wrote:
We do want to be able ever to see our users passwords
(1) log_auth_badpass|log_auth_goodpass
(2) radiusd -X
Are you sure that would be effective? Anyone who can edit radiusd.conf or run "radiusd -X" usually have root password. It means, if they want to, they can: (1) replace your binary with another one (e.g. the one compiled from vanilla source code) (2) then can run tcpdump on the interface, which can show the attribute user-password as clear text if the user uses PAP (although this might be irrelevant to you since your debug log shows only ttls) (3) if you need to have user-password attribute in the first place, usually it's because whatever backend you use (e.g. db, LDAP) can only handle clear text password (e.g. because they store only encrypted passwords). Depending on what backend you use, It's possible that the admin can capture the traffic between FR and the backend to look at the clear-text user password. (4) Then can modify radiusd.conf (or whatever virtual server is active) to activate additional logging (to file, db, whatever) that could store the value of whatever attribute they choose (including User-Password). -- Fajar