use_tunneled_reply has no effect

A.L.M.Buxey at A.L.M.Buxey at
Wed Jun 17 14:04:06 CEST 2009


> I thought the outer-tunnel is set up to secure the connection between the
> user and the authentication server. So the Authentication has access to
> the unencrypted data which it in turn queries proxies to verify the
> received credentials; this data is encrypted using the home-server shared 
> key. Please enlighten me if this is not correct.

the outer identity is used to identity (and can be anonymous - the RFC states
it should be blank ie rather than anonymous at
the user that is requesting the service - so that the packets can
be sent to the correct end server via proxy methods before the inner
tunnel can be created (which uses the RADIUS certificate etc to create
a secure tunnel through the proxied path)

authentication can never occur on outer id/outer tunnel. well, it could
if you just didnt care about security, didnt use passwords and
didnt have any kind of EAP ;-) 

dont forget, the user never does anything. the packets get sent
via 802.1X to the NAS (RADIUS client) which in turn passes the
RADIUS packets to the RADIUS server (which then proxies etc if
needed). the NAS will never talk directly to the final AAA RADIUS  -
the communication is always passed through the proxy chain.


More information about the Freeradius-Users mailing list