Reply-message and supplicant

Arran Cudbard-Bell a.cudbard-bell at sussex.ac.uk
Sun Jun 7 02:57:03 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Clouter wrote:
> A.L.M.Buxey at lboro.ac.uk wrote:
>>> No one in London wants to go to Sussex though and from my logs it does
>>> not look like anyway from Sussex wants to go to London either ;)
>>>
>>> If someone gives me something better to use in my RADIUS packets then
>>> I'm game.  Meanwhile I keep meaning to glue 'exec' and 'fortune'
>>> together and see if anyone notices.
>> I've been having a lok at such packets on the national proxy and wonder
>> if its because people are just blamming a reply-message in at an wrong
>> stage...eg during Auth? would a default entry in use users file or
>> SQL group reply table cause such wrongness? most likely.
>>
> I have an entry in my 'users' file for if people insist on sending their
> username without a realm
... hmm that's pretty standard behaviour. We don't require FQUNs
either.  Though I have no idea why you still insist on using user files
for policies. There's this new fangled policy language you know :P
>  or mix inner/outer domains, <insert other
> braindead-ness>.  It's more for me whilst looking through my SQL logs,
> however I also slip into my Reply-Message a comment if the
> authentication attempt was against a test (non-production use) account.
>
Yeah that's fine... Just strip out the Reply-Message before you send the
packet.
>> crack-pipe question of the day:
>>
>> could reply messages be used with some smart server-end code to provide
>> a data communication channel? ie user A has code that attempts to use EAP
>> with special username coding...the remote server is designed
>> to throw responses in EAP messages...which the modified supplicant
>> on the client can then extract? this could tunnel traffic through
>> an 802.1X restricted network? in fact, is the inner EAP traffic limited
>> at all?  once the authentication outer layer is started i should be
>> able to just keep throwing data back/forward through that tube?
>>
Wait are you talking about something really quite evil here? Like using
EAP as a VPN tunnel ?!?!

Arran
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkorEF8ACgkQcaklux5oVKICSwCcCga36CjkrqGqbrr3YCyQGFfk
LRkAoIIMlDiuHXHBPfamcwSCkpKf5KYs
=w7Az
-----END PGP SIGNATURE-----




More information about the Freeradius-Users mailing list