On 13/09/2024 12:10, Connor Herring wrote:
Thanks for this, it does put my mind at ease. Is there any way other than various PCAPs that you would be able to tell if something sensitive like the password was being seen outside the tunnel?
tcpdump, radsniff, FreeRADIUS debug output. But ultimately they'll all tell you the same thing.
I think I've proved that you can't, pretty conclusively but just want to be sure.
Literally all the RADIUS stuff is outside the tunnel. Which is why it's recommended to keep RADIUS on a private network and to use RadSec if possible. e.g. device MAC addresses etc are all in the clear. People run RADIUS over the Internet and I have no idea why you would even consider doing that. But in terms of authentication, disable all the auth stuff in the outer tunnel (sites-enabled/default) except eap, then nothing else can work. At that point you've pretty much done everything you can. -- Matthew