Hi, I am using EAP-TTLS with eap.conf, it is working, but I was looking in debugging messages and output of sniffing that I can see the User-Name (pepino, in this example), earlier in radius 1.17 only showed anonymous... I see no passwords (I think that it's safe onto tunnel, isn't it?). Is that right? That's is the debug output: rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=125 User-Name = "pepino" NAS-IP-Address = 10.30.1.83 Called-Station-Id = "000625f17036" Calling-Station-Id = "000e35bf5118" NAS-Identifier = "000625f17036" NAS-Port = 54 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b016d6261726265 Message-Authenticator = 0xef93fe76912976e965bb1b2a20401ef3 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepino", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for pepino WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=pepino) expand: ou=people,dc=saltamontes,dc=edu -> ou=people,dc=saltamontes,dc=edu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.saltamontes.edu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb2/cacert.pem rlm_ldap: setting TLS Key File to /dev/urandom rlm_ldap: bind as cn=freeradius,ou=applications,dc=saltamontes,dc=edu/pepe to ldap.saltamontes.edu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=saltamontes,dc=edu, with filter (uid=pepino) rlm_ldap: checking if remote access for pepino is allowed by radiusAllowed rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user pepino authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.30.1.83 port 2053 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09eceb5c09edfe065d8607a9b4fe1db7 Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=192 Cleaning up request 0 ID 0 with timestamp +76 User-Name = "pepino" NAS-IP-Address = 10.30.1.83 Called-Station-Id = "000625f17036" Calling-Station-Id = "000e35bf5118" NAS-Identifier = "000625f17036" NAS-Port = 54 Framed-MTU = 1400 State = 0x09eceb5c09edfe065d8607a9b4fe1db7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201003c158000000032160301002d010000290301b3354670c815c498b03d3c14301c2e8510e09178ba9ac6cb27077efc961addd8000002000a0100 Message-Authenticator = 0x30363c19771b184b796c396e6ef5438b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepino", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 60 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 50 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0852], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.30.1.83 port 2053 EAP-Message = 0x0102040015c0000008af160301004a02000046030147b33cc20d40ac060317b279f8c711d09152731cb47acd3c82ea6aa58a369f9e2001ecdf8fe79083828b06a3d6a79f4e27c10215c7ad55da750b8711d49adc822c000a0016030108520b00084e00084b0003b9308203b53082029da003020102020111300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06 EAP-Message = 0x035504031315436572746966696361746520417574686f72697479301e170d3037313031313233333633305a170d3131313031303233333633305a308193310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f312d302b060355040b1324446570617274616d656e746f20646520436f6d756e69636163696f6e6573202d20737032311d301b06035504031314737065637472756d2e70616c65726d6f2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100e04585aa76fe88e53fe2e5 EAP-Message = 0xfd4e4c9732987996ca13093a1173f9760319f9bf6b1bbad6702284056432c8b9409e28789a2d91e8027baa1fadcf4951be8b3d1932d6a125dd50d18a57ea8c909eb93b83f73404193b6ebb16e7abcc49ec7b3d2546f65e41d895631ab82cbf09c6744c9d6e01064fd1548487e70baf1179f387430d7f193460f4bf55e9c6cb2100202382b2c0c10929e125f8c32bd5cd0d26c3d908688cb747475263370195f56c256bad4ee232fb9db6bf07966c6ad88f5bfa07143c5a626fde432f3582bdc50164e1b216e902efb947be80f5d64cf05e33e1ba76c3734bd4a1586895b5575ac4ea9f87384629547e75ad7c119c66abe7a07f8c7d0203010001a31730 EAP-Message = 0x1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100c056381386ae47210e7781b5f29f6e345d3cf3170d7b56f207c5120ad7a0a3f50d8d5089b1b670e12571f30f6035435027ba8a6c0f560c4ed67436b09470a25f6c6ed5f6183671143d0119cdbd58f1564ff62d829557d30db8e3e629cde53dc086b2b6e6cbc199f38653349b1abd884554bde148d0b3c6972f3910a3d9a6004b4b85b5c2bea77f8939d3518d718d5a1290ca6c03f3ce5d98906e243f4cc698360b5d5f3015054f0dc7f0cb42475760038477a75d03c048f80b4f50b554499749833660883b818630ae143a9e0ac935e5e3d594 EAP-Message = 0xf97b881df18c0b1712e00eef Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09eceb5c08eefe065d8607a9b4fe1db7 Finished request 1. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=138 Cleaning up request 1 ID 0 with timestamp +76 User-Name = "pepino" NAS-IP-Address = 10.30.1.83 Called-Station-Id = "000625f17036" Calling-Station-Id = "000e35bf5118" NAS-Identifier = "000625f17036" NAS-Port = 54 Framed-MTU = 1400 State = 0x09eceb5c08eefe065d8607a9b4fe1db7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061500 Message-Authenticator = 0x3e6e0ad8ef6d020e50a7fc266679a163 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepino", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.30.1.83 port 2053 EAP-Message = 0x0103040015c0000008af6a91fa1582e7f8eb93fa4ee3f701692818d33744866b15afbc8774a1ed07b5b43200048c3082048830820370a003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479301e170d3035313230313134353835305a170d313531313239313435383530 EAP-Message = 0x5a30818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100eb878d17120d3af300ab78838b32fde160463d4ff2693c5ebc59123788f0bfe9d90aaa34a22bab04b8e8f294176215b97f2edf6c686434ad87acccd5ecf7edec871e8449a876cbfe531c EAP-Message = 0x5158385aa9d30685723cf3273b5d2d8cde4ca62b0c07c3bdd54be96f2f68074454281c527079276d3388dcdb097e730c419f58d24eaca71fd8c5d8b6fe023154b9bdb920dc6ac013a57dc9bf94b99250b47bc32a07afbf2a2eddd37bdb8f0421f7df33eb999dce70784d065458b5e590f1c285837464709c6af7e3ae092dd38372420e780d8567699d534897f298fcde4309a2f66afee6dce842a69c31f1ca580454665eae87a04881b0bbb009928b30ef374fa534e50203010001a381ee3081eb301d0603551d0e04160414fd77533bb6a66d1e3b48bfb5d21501d829ddf4693081bb0603551d230481b33081b08014fd77533bb6a66d1e3b48bfb5d2 EAP-Message = 0x1501d829ddf469a18194a4819130818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479820101300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010066656bbb8617d0aa046d938fb367586fb47ba22a4c54ccfc21d3bdc13ae39df3cd89029a0b5bcacb39977e824d94ba8c61296ce2e38d91e22766 EAP-Message = 0xce9ce6d988580251e19ef037 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09eceb5c0beffe065d8607a9b4fe1db7 Finished request 2. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=138 Cleaning up request 2 ID 0 with timestamp +76 User-Name = "pepino" NAS-IP-Address = 10.30.1.83 Called-Station-Id = "000625f17036" Calling-Station-Id = "000e35bf5118" NAS-Identifier = "000625f17036" NAS-Port = 54 Framed-MTU = 1400 State = 0x09eceb5c0beffe065d8607a9b4fe1db7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 Message-Authenticator = 0x51a63d65cfdf526cd5a8155d12c5715d +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepino", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.30.1.83 port 2053 EAP-Message = 0x010400cd1580000008afcea75d86cb016c26f8d51bb33fbe8f07daf1f9fc78833f2254362517e85e9dcd2c4362773223204e9c66dff65f08f319c5c9a2bb6a6de09b6534fd5df1fc14ba8dc996930e5413bbb2d4cae1c5aa68abe3785bec762c0c47246c2a89066512727dfc1c8b96fb0005841d05009db8e084a3931d2046b4d8047d2c182c9b0a5b5f340ee1b4331ec0ece5185dc33e4f100ec0a0a7e6e2bad313ea717fa4d4ed2e913575014832f80d0298e5c662015b0729eabd6220c0082326acb516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09eceb5c0ae8fe065d8607a9b4fe1db7 Finished request 3. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=462 Cleaning up request 3 ID 0 with timestamp +76 User-Name = "pepino" NAS-IP-Address = 10.30.1.83 Called-Station-Id = "000625f17036" Calling-Station-Id = "000e35bf5118" NAS-Identifier = "000625f17036" NAS-Port = 54 Framed-MTU = 1400 State = 0x09eceb5c0ae8fe065d8607a9b4fe1db7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204014815800000013e16030101061000010201008ef5d1ba57f580cf15455ba3740683fbdf9dccfc38a8a1e961e5905ff156ea6cecf325e13d87666fb84923dc4e98e3687ac0dc00038d8bfa1e7ee1c6b4b4da3159656dd12646d34f8538ea15ff5572e4a78d3e634fbf47193b70c9e94978686e2e23a076b5558607feed19925ee5da72682a649247ae1ac1f5b7b263394c03a69bac09a7d9ff319cda4b098caccb8c52f2723d431cd3fab7df9a9cc948471efb4484490cc9517f909fd44853fbcc6f1aab84fab88b41fa2f43b6c1a9da8537cfaac1bbaa7f925f49603a680be366b93a4fc9127466288a4f45d3bdcf51f5c8d377578937cb84f9b0 EAP-Message = 0xa015c6c1d804e8fbf7af34c30fb1114b1c9d1d5381fd3b081403010001011603010028c0d2110365e90a2b921236c86847184288136a19041416b2b7b27765456cb0dd42e26ad3a991ad89 Message-Authenticator = 0xa7b63743d8ba7fafd65c9af5df3fc6a9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepino", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 318 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.30.1.83 port 2053 EAP-Message = 0x0105003d158000000033140301000101160301002801b5893a2a514bd5a7e83dcd7c207736af5ba74733ef9b675ff5aa78442868f19c7057fe8510222a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09eceb5c0de9fe065d8607a9b4fe1db7 Finished request 4. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=203 Cleaning up request 4 ID 0 with timestamp +76 User-Name = "pepino" NAS-IP-Address = 10.30.1.83 Called-Station-Id = "000625f17036" Calling-Station-Id = "000e35bf5118" NAS-Identifier = "000625f17036" NAS-Port = 54 Framed-MTU = 1400 State = 0x09eceb5c0de9fe065d8607a9b4fe1db7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205004715800000003d1703010038daf944025ba681f947e49c544656b692e93bdb977511588bcf8b45029ff27dc9610159e2e7294f5114b6fc9e6ddc73073562f590c450ede8 Message-Authenticator = 0xbc8970dfe215c0fbedd755aec5243d21 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepino", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 71 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 61 rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepino", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for pepino WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=pepino) expand: ou=people,dc=saltamontes,dc=edu -> ou=people,dc=saltamontes,dc=edu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=saltamontes,dc=edu, with filter (uid=pepino) rlm_ldap: checking if remote access for pepino is allowed by radiusAllowed rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user pepino authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type ldap auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "pepino" with password "testdude" rlm_ldap: user DN: uid=pepino,ou=people,dc=saltamontes,dc=edu rlm_ldap: (re)connect to ldap.saltamontes.edu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb2/cacert.pem rlm_ldap: setting TLS Key File to /dev/urandom rlm_ldap: bind as uid=pepino,ou=people,dc=saltamontes,dc=edu/testdude to ldap.saltamontes.edu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user pepino authenticated succesfully ++[ldap] returns ok Login OK: [pepino/testdude] (from client labs port 0) TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [pepino/<via Auth-Type = EAP>] (from client labs port 54 cli 000e35bf5118) Sending Access-Accept of id 0 to 10.30.1.83 port 2053 MS-MPPE-Recv-Key = 0x4ba8aa29481d8800776182d3da34903cd3d08639b8b98ecbd69cb5a6f09b73f3 MS-MPPE-Send-Key = 0xe661d6eb161f489b2148adbec2815116d80cf06b209e41c9b570104856729c14 EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "pepino" Finished request 5. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 5 ID 0 with timestamp +76 Ready to process requests. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Sorry for insist on, but is right that in debug mode show the user password, even using tunnel? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
2008/2/14, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk>:
Hi,
Sorry for insist on, but is right that in debug mode show the user password, even using tunnel?
yes - if the password is available is a clear format - eg not a challenge/response method. ALL passwords get printed in clear text.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But, I don't understand, how can be shown it if password is encrypted in LDAP and I am using EAP-TTLS, is not the password into the tunnel?. I am using securew2 with PAP from windows clients. Does it mean that password could be sniffed when radius is not running in debug mode?? Thanks in advance... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Hi,
But, I don't understand, how can be shown it if password is encrypted in LDAP and I am using EAP-TTLS, is not the password into the tunnel?. I am using securew2 with PAP from windows clients. Does it mean that password could be sniffed when radius is not running in debug mode??
the server KNOWS the password. therefore it is showing it. thats how it can do the LDAP stuff...it HAS to know the password to make the LDAP attempt successful. the password will always be available in a raw format in the server engine. if you dont like passwords, move to a challenge/response system - eg MSCHAPv2 i wouldnt lose sleep over it. when the server is not running in debug mode, the only way of sniffing the password is via a few changes to the FreeRADIUS source code. in general practice that password is buried in a TTLS tunnel. its not readable by anything other than the RADIUS server. think of the information flow and process. alan
2008/2/14, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk>:
Hi,
But, I don't understand, how can be shown it if password is encrypted in LDAP and I am using EAP-TTLS, is not the password into the tunnel?. I am using securew2 with PAP from windows clients. Does it mean that password could be sniffed when radius is not running in debug mode??
the server KNOWS the password. therefore it is showing it. thats how it can do the LDAP stuff...it HAS to know the password to make the LDAP attempt successful. the password will always be available in a raw format in the server engine. if you dont like passwords, move to a challenge/response system - eg MSCHAPv2
i wouldnt lose sleep over it. when the server is not running in debug mode, the only way of sniffing the password is via a few changes to the FreeRADIUS source code. in general practice that password is buried in a TTLS tunnel. its not readable by anything other than the RADIUS server. think of the information flow and process.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Alan for your explanation, now I've got it. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Sergio Belkin