If I run a TCPDump from one of the clients that is sending Auth-Requests to my RADIUS server, I have noticed that in the Access-Challenge messages back from the server you can see certificate details that I have put in the various cnf files in etc/freeradius/3.0/certs. For example, I can see the 'organizationName' and 'emailAddress' from the server.cnf file amongst other details and strings of hashed data within the TCPDump output. I know that the tunnel won't have been established at this point so this in particular wouldn't be hiding those details, but is there a need for them to be exposed? And if not where would I look to configure my server to hide these details from external entities? I know RADSec is preferred but wasn't sure if this information was exposed on purpose.
On Oct 18, 2024, at 11:49 AM, FreeRAD <yetifreerad@gmail.com> wrote:
If I run a TCPDump from one of the clients that is sending Auth-Requests to my RADIUS server, I have noticed that in the Access-Challenge messages back from the server you can see certificate details that I have put in the various cnf files in etc/freeradius/3.0/certs. For example, I can see the 'organizationName' and 'emailAddress' from the server.cnf file amongst other details and strings of hashed data within the TCPDump output.
I know that the tunnel won't have been established at this point so this in particular wouldn't be hiding those details, but is there a need for them to be exposed? And if not where would I look to configure my server to hide these details from external entities? I know RADSec is preferred but wasn't sure if this information was exposed on purpose.
That's how TLS works. You will see the same thing for HTTPS connections which don't use TLS 1.3. Alan DeKok.
Thanks for the info! On Sat, 19 Oct 2024 at 13:24, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 18, 2024, at 11:49 AM, FreeRAD <yetifreerad@gmail.com> wrote:
If I run a TCPDump from one of the clients that is sending Auth-Requests
to
my RADIUS server, I have noticed that in the Access-Challenge messages back from the server you can see certificate details that I have put in the various cnf files in etc/freeradius/3.0/certs. For example, I can see the 'organizationName' and 'emailAddress' from the server.cnf file amongst other details and strings of hashed data within the TCPDump output.
I know that the tunnel won't have been established at this point so this in particular wouldn't be hiding those details, but is there a need for them to be exposed? And if not where would I look to configure my server to hide these details from external entities? I know RADSec is preferred but wasn't sure if this information was exposed on purpose.
That's how TLS works. You will see the same thing for HTTPS connections which don't use TLS 1.3.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
FreeRAD