Is tunnel right? (EAP-TTLS)

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Feb 14 14:01:22 CET 2008


Hi,

> But, I don't understand, how can be shown it if password is encrypted
> in LDAP and I am using EAP-TTLS, is not the password into the tunnel?.
> I am using securew2 with PAP from windows clients. Does it mean that
> password could be sniffed when radius is not running in debug mode??

the server KNOWS the password. therefore it is showing it. thats how
it can do the LDAP stuff...it HAS to know the password to make
the LDAP attempt successful. the password will always be available in
a raw format in the server engine.  if you dont like passwords,
move to a challenge/response system - eg MSCHAPv2

i wouldnt lose sleep over it. when the server is not running in debug
mode, the only way of sniffing the password is via a few changes to
the FreeRADIUS source code.  in general practice that password is
buried in a TTLS tunnel. its not readable by anything other than the
RADIUS server. think of the information flow and process.

alan



More information about the Freeradius-Users mailing list