On Thu, Jun 18, 2009 at 08:30:27AM +0200, Stefan Winter wrote:
Hi,
Yes, I am aware privacy is a concern. As I am doing some tests, I thought it would be easier to debug if there's a way to relate a request to a proxied username. This is technically not possible or it's more a political matter?
Technically impossible until you break TLS. OR make a deal with the home server that it reveals the actual user name to you.
I thought the outer-tunnel is set up to secure the connection between the user and the authentication server.
And the *home* authentication server. If you operate a proxy in the middle between user and home server, you will not see the inner tunnel credentials.
So the Authentication has access to the unencrypted data which it in turn queries proxies to verify the received credentials;
Only the *home* authentication server has access to the credentials. These credentials are typically not proxied anywhere (there are exceptions at the discretion of that home server).
this data is encrypted using the home-server shared key. Please enlighten me if this is not correct.
The shared secret ensures packet integrity between RADIUS peers, i.e. between your proxy and the home server. With EAP authentication, it does *not* add anything to credential encryption - that happens entirely in the EAP tunnel.
Thanks for the clarifications. Cheers, Xiwen --