proxy incoming PAP request as outgoing PEAP/TTLS requests

Ian Chang-張志邦 Ian.Chang at zyxel.com.tw
Tue Sep 22 02:57:33 CEST 2015


Hi Alan,

This is exactly we would like to do.
captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server

As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default.
Hence, we would like to proxy the PAP requests as PEAP/TTLS requests.
It is better that we could authenticate with the upstream server in the tunnel.

Thanks a lot.

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Monday, September 21, 2015 10:48 PM
To: FreeRadius users mailing list
Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests

Hi,

> Another use case I could think of is that the remote RADIUS server
> does

another use case that *I* could think of its another attempted MITM attack against eg 802.1X systems....one in particular I am closely connected to. Present a captive portal....
get people to login using user/pass - the upstream servers are configured to reject non EAP methods so you dont know if such things are true details.... but if you converted that PAP request to an EPA method......


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



More information about the Freeradius-Users mailing list