use_tunneled_reply has no effect

Xiwen Cheng xcheng at math.leidenuniv.nl
Wed Jun 17 13:47:31 CEST 2009


On Wed, Jun 17, 2009 at 01:23:57PM +0200, Stefan Winter wrote:
> The whole concept of inner tunneling and protecting it via TLS is
> *because* you are *not* supposed to see the actual authentication
> credentials. For your local users, you terminate the tunnel yourself and
> can decide to expose the information by uncommenting the above, but for
> non-local users it is supposed to not work.
> 
> Outer anonymous identities preserve privacy of the (remote) user
> authenticating. If you want to change that, you need a business
> agreement with the remote party to disclose their user information to you.
> 
> Taking a peek at your mail domain name: if you are about to set up
> eduroam - there is no automated disclosure of the inner identity in
> eduroam. There is a process to ask the identity provider (IdP)
> retroactively *if and when* the user has done something wrong and needs
> to be traced. But there is no proactive information disclosure - or
> better put, it's in the discretion of the IdP to tell the rest of the
> world who his user is; unsurprisingly most IdPs opt not to do so, if for
> no other reason than to evade privacy and data protection laws.

Yes, I am aware privacy is a concern. As I am doing some tests, I
thought it would be easier to debug if there's a way to relate a request
to a proxied username. This is technically not possible or it's more a 
political matter?

I thought the outer-tunnel is set up to secure the connection between the
user and the authentication server. So the Authentication has access to
the unencrypted data which it in turn queries proxies to verify the
received credentials; this data is encrypted using the home-server shared 
key. Please enlighten me if this is not correct.

Best regards,
Xiwen

-- 



More information about the Freeradius-Users mailing list