A.L.M.Buxey@lboro.ac.uk wrote:
The EAP-Message doesn't appear to be encrypted on the initial packet from the ap to the server. Inside i see Type and Identity (containing my username. The username is also in the User-Name attribute)
that'll be your outer identity... which, as it is plain to see (pun definately intended folks), is why many people use some anonymous identity for protection..why give away some of your credentials? - eg anonymous@your.home.realm.com
Hmmm. Well, in the first packet i see the Identity in the EAP-Message, but the User-name attribute is in every packet sent by the AP. How would i go about using an anonymous identity? Would that be up to the wireless client configuration? It would be quite important for me to hide this. If i'm understanding you correctly, the User-name attribute and the Identity field in the EAP-Message attribute have nothing to do with authentication which is all enclosed (including the username) in PAP which is encrypted inside EAP-TTLS? If i could just get this fixed, i think i'd be happy with my setup...
authenticate = yes, you are who you are authorize = should you be using this? do we perhaps change the service you get (eg VLAN)
if you've allowed people to talk to the RADIUS server, then they can...this is why you have eg the clients.conf (or clients SQL) to define *WHAT* NAS can talk to RADIUS server and what secret key they must have to talk to it. you can define whatever type of authentication that FR supports...depending on the eg username...
This certainly helps me understand, but it would be nice to get a more complete understanding. I don't want to hassle you by continually asking you questions until i get it - can you point me to somewhere i can read up on this and understand. For example, it confuses me that there is an ldap, eap and pap section in the authorize section, but pap is to be used exclusively inside eap with the client and ldap is to be used exclusively with the backend server. Thanks for your help, John