Reply-message and supplicant
Alexander Clouter
alex at digriz.org.uk
Sat Jun 6 19:12:59 CEST 2009
A.L.M.Buxey at lboro.ac.uk wrote:
>
>> No one in London wants to go to Sussex though and from my logs it does
>> not look like anyway from Sussex wants to go to London either ;)
>>
>> If someone gives me something better to use in my RADIUS packets then
>> I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune'
>> together and see if anyone notices.
>
> I've been having a lok at such packets on the national proxy and wonder
> if its because people are just blamming a reply-message in at an wrong
> stage...eg during Auth? would a default entry in use users file or
> SQL group reply table cause such wrongness? most likely.
>
I have an entry in my 'users' file for if people insist on sending their
username without a realm, or mix inner/outer domains, <insert other
braindead-ness>. It's more for me whilst looking through my SQL logs,
however I also slip into my Reply-Message a comment if the
authentication attempt was against a test (non-production use) account.
> crack-pipe question of the day:
>
> could reply messages be used with some smart server-end code to provide
> a data communication channel? ie user A has code that attempts to use EAP
> with special username coding...the remote server is designed
> to throw responses in EAP messages...which the modified supplicant
> on the client can then extract? this could tunnel traffic through
> an 802.1X restricted network? in fact, is the inner EAP traffic limited
> at all? once the authentication outer layer is started i should be
> able to just keep throwing data back/forward through that tube?
>
Alternatively the 'smart server-end' could just send an Access-Accept :)
Cheers
--
Alexander Clouter
.sigmonster says: Available while quantities last.
More information about the Freeradius-Users
mailing list