use_tunneled_reply has no effect

Stefan Winter stefan.winter at
Thu Jun 18 08:30:27 CEST 2009


> Yes, I am aware privacy is a concern. As I am doing some tests, I
> thought it would be easier to debug if there's a way to relate a request
> to a proxied username. This is technically not possible or it's more a 
> political matter?

Technically impossible until you break TLS. OR make a deal with the home
server that it reveals the actual user name to you.

> I thought the outer-tunnel is set up to secure the connection between the
> user and the authentication server.

And the *home* authentication server. If you operate a proxy in the
middle between user and home server, you will not see the inner tunnel

>  So the Authentication has access to
> the unencrypted data which it in turn queries proxies to verify the
> received credentials;

Only the *home* authentication server has access to the credentials.
These credentials are typically not proxied anywhere (there are
exceptions at the discretion of that home server).

>  this data is encrypted using the home-server shared 
> key. Please enlighten me if this is not correct.

The shared secret ensures packet integrity between RADIUS peers, i.e.
between your proxy and the home server. With EAP authentication, it does
*not* add anything to credential encryption - that happens entirely in
the EAP tunnel.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

More information about the Freeradius-Users mailing list