use_tunneled_reply has no effect

Xiwen Cheng xcheng at math.leidenuniv.nl
Thu Jun 18 12:27:01 CEST 2009


On Thu, Jun 18, 2009 at 08:30:27AM +0200, Stefan Winter wrote:
> Hi,
> 
> > Yes, I am aware privacy is a concern. As I am doing some tests, I
> > thought it would be easier to debug if there's a way to relate a request
> > to a proxied username. This is technically not possible or it's more a 
> > political matter?
> >   
> 
> Technically impossible until you break TLS. OR make a deal with the home
> server that it reveals the actual user name to you.
> 
> > I thought the outer-tunnel is set up to secure the connection between the
> > user and the authentication server.
> 
> And the *home* authentication server. If you operate a proxy in the
> middle between user and home server, you will not see the inner tunnel
> credentials.
> 
> >  So the Authentication has access to
> > the unencrypted data which it in turn queries proxies to verify the
> > received credentials;
> 
> Only the *home* authentication server has access to the credentials.
> These credentials are typically not proxied anywhere (there are
> exceptions at the discretion of that home server).
> 
> >  this data is encrypted using the home-server shared 
> > key. Please enlighten me if this is not correct.
> >   
> 
> The shared secret ensures packet integrity between RADIUS peers, i.e.
> between your proxy and the home server. With EAP authentication, it does
> *not* add anything to credential encryption - that happens entirely in
> the EAP tunnel.

Thanks for the clarifications.

Cheers,
Xiwen

-- 



More information about the Freeradius-Users mailing list