Reply-message and supplicant

Alexander Clouter alex at digriz.org.uk
Sun Jun 7 13:15:06 CEST 2009


Arran Cudbard-Bell <a.cudbard-bell at sussex.ac.uk> wrote:
> 
> Alexander Clouter wrote:
>> A.L.M.Buxey at lboro.ac.uk wrote:
>>>> No one in London wants to go to Sussex though and from my logs it does
>>>> not look like anyway from Sussex wants to go to London either ;)
>>>>
>>>> If someone gives me something better to use in my RADIUS packets then
>>>> I'm game.  Meanwhile I keep meaning to glue 'exec' and 'fortune'
>>>> together and see if anyone notices.
>>> I've been having a lok at such packets on the national proxy and wonder
>>> if its because people are just blamming a reply-message in at an wrong
>>> stage...eg during Auth? would a default entry in use users file or
>>> SQL group reply table cause such wrongness? most likely.
>>>
>> I have an entry in my 'users' file for if people insist on sending their
>> username without a realm
>
> ... hmm that's pretty standard behaviour. We don't require FQUNs
> either.  Though I have no idea why you still insist on using user files
> for policies. There's this new fangled policy language you know :P
>
We *demand* it as otherwise the helpdesk get lazy and users start 
complaining that 'eduroam' does not work.

As for using the user file for policies, why would I care?  It works, 
does what I need.  For me, I don't particularly find the unlang stuff 
particularly compact/natural and it's a bit verbose for my liking; I 
have not lost anything not using it.

For some things I do use it, things that cannot be expressed in the 
users file.  Whatever looks the cleanest and more natural way, is what 
I use.

Much like why I use LaTeX for presentations rather than some new 
'fangled' tool for giving presentations :P

>>  or mix inner/outer domains, <insert other
>> braindead-ness>.  It's more for me whilst looking through my SQL logs,
>> however I also slip into my Reply-Message a comment if the
>> authentication attempt was against a test (non-production use) account.
>
> Yeah that's fine... Just strip out the Reply-Message before you send the
> packet.
>
Do you know of an *alternative* way to send human readable messages to 
sysadmin's at other sites?

Scenario:

The user's we block for AUP violations or whatever might be roaming.  
Users *lie*, always, and cannot be trusted.  If I just straightly block 
the user and the user grumbles to the remote sysadmin they are going to 
pester me.  If they look in their logs there is a possibility that they 
are logging Reply-Message and can see "this user is actually blocked and 
nothing on a technical level is wrong".

It might be upsetting the RFC's, but I challenge you (for example) to 
pick a selection of IPv6 related RFC's that do not clash with one 
another.  I'm guessing Alan could probably point out where the RFC's 
conflict against one another in the RADIUS world too.

If my Reply-Message's break something, I'll stop sending them.  I think 
you need to stop worrying about the Reply-Message's and maybe look out 
for those borken folk who keep insisting telling me to put their users 
in a particular VLAN, maybe we could just get JANET to refuse those IAS 
users. :)

>>> crack-pipe question of the day:
>>>
>>> could reply messages be used with some smart server-end code to provide
>>> a data communication channel? ie user A has code that attempts to use EAP
>>> with special username coding...the remote server is designed
>>> to throw responses in EAP messages...which the modified supplicant
>>> on the client can then extract? this could tunnel traffic through
>>> an 802.1X restricted network? in fact, is the inner EAP traffic limited
>>> at all?  once the authentication outer layer is started i should be
>>> able to just keep throwing data back/forward through that tube?
>>>
>
> Wait are you talking about something really quite evil here? Like using
> EAP as a VPN tunnel ?!?!
>
Again, why *bother*.  If someone is sending a malicious RADIUS server an 
Access-Request message, all it has to do is send back an Access-Accept.  
Hell you can then tunnel over something that probably has less latency 
and is just as stealthy like DNS.  Hell or just use a real VPN, or 
forget the lot and just use a 3G modem.

Cheers

-- 
Alexander Clouter
.sigmonster says: Try `stty 0' -- it works much better.




More information about the Freeradius-Users mailing list