Hi Everybody, Is it possilbe to avoid attribute editing and message editing by using EAP-TTLS or EAP-PEAP in a proxy environment? As far as I understton, In EAP-TTLS a tunnel is formed between a user and the TTLS server, now this TTLS server will forward the request to the proxy and proxy to the home radius server. So the threat here is from proxy, which can falsely edit attribute and messages. For example if home radius sever sends Accept-accept packet , it is possible that a proxy can change the same packet to Access-Reject (wantedly), so that the user will not be able to access visited network. Thanks in advance, Tahseen
"Tahseen Hussain" <stud3080@itu.dk> wrote:
Is it possilbe to avoid attribute editing and message editing by using EAP-TTLS or EAP-PEAP in a proxy environment?
Yes.
As far as I understton, In EAP-TTLS a tunnel is formed between a user and the TTLS server, now this TTLS server will forward the request to the proxy and proxy to the home radius server. So the threat here is from proxy, which can falsely edit attribute and messages.
If the proxy terminates the TLS session.
For example if home radius sever sends Accept-accept packet , it is possible that a proxy can change the same packet to Access-Reject (wantedly), so that the user will not be able to access visited network.
Yes. Any proxy can do this, and there's nothing you can do to solve that problem. Alan DeKok.
participants (2)
-
Alan DeKok -
Tahseen Hussain