Is tunnel right? (EAP-TTLS)
Sergio Belkin
sebelk at gmail.com
Thu Feb 14 14:17:06 CET 2008
2008/2/14, A.L.M.Buxey at lboro.ac.uk <A.L.M.Buxey at lboro.ac.uk>:
> Hi,
>
>
> > But, I don't understand, how can be shown it if password is encrypted
> > in LDAP and I am using EAP-TTLS, is not the password into the tunnel?.
> > I am using securew2 with PAP from windows clients. Does it mean that
> > password could be sniffed when radius is not running in debug mode??
>
>
> the server KNOWS the password. therefore it is showing it. thats how
> it can do the LDAP stuff...it HAS to know the password to make
> the LDAP attempt successful. the password will always be available in
> a raw format in the server engine. if you dont like passwords,
> move to a challenge/response system - eg MSCHAPv2
>
> i wouldnt lose sleep over it. when the server is not running in debug
> mode, the only way of sniffing the password is via a few changes to
> the FreeRADIUS source code. in general practice that password is
> buried in a TTLS tunnel. its not readable by anything other than the
> RADIUS server. think of the information flow and process.
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Thanks Alan for your explanation, now I've got it.
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
More information about the Freeradius-Users
mailing list