Connor Herring <connorrjherring@gmail.com> wrote:
I'm a bit confused here. I've got EAP-TTLS/PAP set up. To ensure that everything was setup correctly, I have run a PCAP from the supplicant to see if I could see any auth details being sent (I couldn't), I have also run a PCAP from an AP in sniffer mode (also couldn't see anything, only probes and broadcasts), however, I ran a TCPDump on the RADIUS server itself and while I couldn't see the password that was being sent, I could see the tunnelled username and VLAN attributes in the Access-Accept.
My question is, is this expected? Want to ensure this isn't just a misconfiguration.
Normal. The NAS does not get to see the password -- the encrypted tunnel is built between the client and the RADIUS Server (except when he NAS is performing as a surrogate as in mac-auth-bypass setups.) But the NAS needs to know the VLAN attributes and there has to be a UserName in the packets as well, IIRC due to EAP standards. If the UserName in those packets is the one used on the inside tunnel and not the outer wrapper (they can be different), then your RADIUS server is intentionally configured to leak that username. This is fairly common when you want real usernames in your NAS administrative interfaces for visibility, or when making policy decisions based on usernames with local rules programmed into the NAS. Under typical models prevalent when RADIUS was designed, NAS and RADIUS server were connected on an isolated internal VLAN so this was not a privacy concern. As things became more cloud-based, this was no longer the case. RADIUS does protect against alteration of these attributes on the wire using a Message-Authenticator (caveat: proper countermeasures for BlastRADIUS needed.) If you do not have a protected communication channel between the NAS and RADIUS server, and you need privacy protection of the attributes, then check if the NAS supports RadSec (RADIUS/TLS). If it does not, pursue building an IPSec tunnel to protect it. In general, the recommendation these days is to move to RadSec whenever you can.