use_tunneled_reply has no effect
Xiwen Cheng
xcheng at math.leidenuniv.nl
Thu Jun 18 12:27:01 CEST 2009
On Thu, Jun 18, 2009 at 08:30:27AM +0200, Stefan Winter wrote:
> Hi,
>
> > Yes, I am aware privacy is a concern. As I am doing some tests, I
> > thought it would be easier to debug if there's a way to relate a request
> > to a proxied username. This is technically not possible or it's more a
> > political matter?
> >
>
> Technically impossible until you break TLS. OR make a deal with the home
> server that it reveals the actual user name to you.
>
> > I thought the outer-tunnel is set up to secure the connection between the
> > user and the authentication server.
>
> And the *home* authentication server. If you operate a proxy in the
> middle between user and home server, you will not see the inner tunnel
> credentials.
>
> > So the Authentication has access to
> > the unencrypted data which it in turn queries proxies to verify the
> > received credentials;
>
> Only the *home* authentication server has access to the credentials.
> These credentials are typically not proxied anywhere (there are
> exceptions at the discretion of that home server).
>
> > this data is encrypted using the home-server shared
> > key. Please enlighten me if this is not correct.
> >
>
> The shared secret ensures packet integrity between RADIUS peers, i.e.
> between your proxy and the home server. With EAP authentication, it does
> *not* add anything to credential encryption - that happens entirely in
> the EAP tunnel.
Thanks for the clarifications.
Cheers,
Xiwen
--
More information about the Freeradius-Users
mailing list