Is tunnel right? (EAP-TTLS)

Sergio Belkin sebelk at
Thu Feb 14 14:17:06 CET 2008

2008/2/14, A.L.M.Buxey at <A.L.M.Buxey at>:
> Hi,
>  > But, I don't understand, how can be shown it if password is encrypted
>  > in LDAP and I am using EAP-TTLS, is not the password into the tunnel?.
>  > I am using securew2 with PAP from windows clients. Does it mean that
>  > password could be sniffed when radius is not running in debug mode??
> the server KNOWS the password. therefore it is showing it. thats how
>  it can do the LDAP HAS to know the password to make
>  the LDAP attempt successful. the password will always be available in
>  a raw format in the server engine.  if you dont like passwords,
>  move to a challenge/response system - eg MSCHAPv2
>  i wouldnt lose sleep over it. when the server is not running in debug
>  mode, the only way of sniffing the password is via a few changes to
>  the FreeRADIUS source code.  in general practice that password is
>  buried in a TTLS tunnel. its not readable by anything other than the
>  RADIUS server. think of the information flow and process.
>  alan
>  -
>  List info/subscribe/unsubscribe? See

Thanks Alan for your explanation, now I've got it.
Open Kairos
Watch More TV
Sergio Belkin -

More information about the Freeradius-Users mailing list