use_tunneled_reply has no effect
Stefan Winter
stefan.winter at restena.lu
Thu Jun 18 08:30:27 CEST 2009
Hi,
> Yes, I am aware privacy is a concern. As I am doing some tests, I
> thought it would be easier to debug if there's a way to relate a request
> to a proxied username. This is technically not possible or it's more a
> political matter?
>
Technically impossible until you break TLS. OR make a deal with the home
server that it reveals the actual user name to you.
> I thought the outer-tunnel is set up to secure the connection between the
> user and the authentication server.
And the *home* authentication server. If you operate a proxy in the
middle between user and home server, you will not see the inner tunnel
credentials.
> So the Authentication has access to
> the unencrypted data which it in turn queries proxies to verify the
> received credentials;
Only the *home* authentication server has access to the credentials.
These credentials are typically not proxied anywhere (there are
exceptions at the discretion of that home server).
> this data is encrypted using the home-server shared
> key. Please enlighten me if this is not correct.
>
The shared secret ensures packet integrity between RADIUS peers, i.e.
between your proxy and the home server. With EAP authentication, it does
*not* add anything to credential encryption - that happens entirely in
the EAP tunnel.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
More information about the Freeradius-Users
mailing list