About Radius security
Hi, Apologizes if this question is to "newbie", but i recently thought about Radius security when using proxy. Considering we are using an EAP-TTLS method, based on LDAP authentication inside inner-tunnel (finally with PAP auth a the end). When a client tries an auth, encryption is done by the server only, encoding datas into a TLS tunnels initiated by the server. So login and password are "hidden" into this tunnel. But when using this method through a proxy way, wher eis data encryption ? Ex : First i a direct connexion : Client (EAP-TTLS) => Tunnel (TLS) => Radius Server Then with proxy : Client (EAP-TTLS) => ? => Proxy Radius Server => ? => Radius BR,
Hi,
But when using this method through a proxy way, wher eis data encryption ?
the TLS tunnel is set up with the remote server - the traffic being passed through all the interim proxies. so the client only trusts the remote server (ie the server they authenticate against) - all the traffic is encapsulated within the TLS tunnel (which is transferred in RADIUS packets). so long as the client is configured to trust only the CA of the remote RADIUS server and the CommonName of the remote RADIUS server, you have the PKI assurance. alan
Le 01/12/2012 23:10, Alan Buxey a écrit :
Hi,
But when using this method through a proxy way, wher eis data encryption ? the TLS tunnel is set up with the remote server - the traffic being passed through all the interim proxies. so the client only trusts the remote server (ie the server they authenticate against) - all the traffic is encapsulated within the TLS tunnel (which is transferred in RADIUS packets). so long as the client is configured to trust only the CA of the remote RADIUS server and the CommonName of the remote RADIUS server, you have the PKI assurance.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks a lot.
BR,
participants (2)
-
Alan Buxey -
Emmanuel BILLOT ACAD