TCPDump, able to see tunneled credentials?
Matthew Newton
mcn at freeradius.org
Fri Sep 13 10:40:45 UTC 2024
On 13/09/2024 11:34, Connor Herring wrote:
> I think I have found why it is sending the username in the Access Accept
> (update outer.session-state is uncommented) so that's ok but is there a way
> for me to be sure it's being tunneled? The debug logs state "eap_ttls: Got
> tunneled Access-Accept" and the logs state the final auth accept came "Via
> TLS Tunnel" so this would lead me to believe it's fine but is that enough
> to go on? Just trying to cover everything.
The TLS tunnel protects the authentication, not the full RADIUS
exchange. VLAN attributes are always outside the tunnel, they are
standard RADIUS attributes. If you want the whole lot hidden you'll need
to configure RadSec, but most RADIUS clients won't support that.
The reply User-Name is set to whatever the FreeRADIUS policy sets it to,
so if you are copying the inner tunnel User-Name back to the outer reply
(e.g. via session-state) then that is what will get sent. The debug
output will show what is happening.
Note that a lot of devices will send the reply User-Name back as the
User-Name in accounting messages, so if you want accounting to make
sense you may need to send something clear back in the reply.
But (without seeing any debug logs), sounds like it's all working as
expected.
--
Matthew
More information about the Freeradius-Users
mailing list