Proxy-tester nagios check for Freeradius
Hello! I would like to make a proxy-tester Nagios check for Freeradius and would like to ask some help for debugging as I experience some problem with using eapol_test. The design is that a user wants to authenticate at realm "A" with credentials stored at realm "B". The infrastructure already set up for proxying based on the realm names and the Access-Requests are do forwarded. I tried this proxy scenario with radtest. And with radtest it works. However, I have some questions regarding this developer work. Maybe you can help me. The first is: is it true, that radtest doesn't encrypt it's messages so proxy requests will contain the password in a recoverable manner? - Tamas Fekete
On Feb 5, 2019, at 5:58 AM, Fekete Tamás <fektom@gmail.com> wrote:
I would like to make a proxy-tester Nagios check for Freeradius and would like to ask some help for debugging as I experience some problem with using eapol_test.
The design is that a user wants to authenticate at realm "A" with credentials stored at realm "B". The infrastructure already set up for proxying based on the realm names and the Access-Requests are do forwarded.
OK...
I tried this proxy scenario with radtest. And with radtest it works.
However, I have some questions regarding this developer work. Maybe you can help me.
The first is: is it true, that radtest doesn't encrypt it's messages so proxy requests will contain the password in a recoverable manner?
The User-Password attribute is protected "on the wire". The passwords are recoverable, because the home server has to check them. See RFC 2865 Section 5.2 for more information. Alan DeKok.
Thank you! It solved all my further questions. Alan DeKok <aland@deployingradius.com> ezt írta (időpont: 2019. febr. 5., K, 14:01):
On Feb 5, 2019, at 5:58 AM, Fekete Tamás <fektom@gmail.com> wrote:
I would like to make a proxy-tester Nagios check for Freeradius and would like to ask some help for debugging as I experience some problem with
using
eapol_test.
The design is that a user wants to authenticate at realm "A" with credentials stored at realm "B". The infrastructure already set up for proxying based on the realm names and the Access-Requests are do forwarded.
OK...
I tried this proxy scenario with radtest. And with radtest it works.
However, I have some questions regarding this developer work. Maybe you can help me.
The first is: is it true, that radtest doesn't encrypt it's messages so proxy requests will contain the password in a recoverable manner?
The User-Password attribute is protected "on the wire". The passwords are recoverable, because the home server has to check them.
See RFC 2865 Section 5.2 for more information.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Fekete Tamás