TCPDump, able to see tunneled credentials?

[Connor Herring]

Hi Matthew,

Thanks for this, it does put my mind at ease. Is there any way other than
various PCAPs that you would be able to tell if something sensitive like
the password was being seen outside the tunnel? I think I've proved that
you can't, pretty conclusively but just want to be sure.

Kind regards,

Connor

On Fri, Sep 13, 2024 at 11:41 AM Matthew Newton via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

>
>
> On 13/09/2024 11:34, Connor Herring wrote:
> > I think I have found why it is sending the username in the Access Accept
> > (update outer.session-state is uncommented) so that's ok but is there a
> way
> > for me to be sure it's being tunneled? The debug logs state "eap_ttls:
> Got
> > tunneled Access-Accept" and the logs state the final auth accept came
> "Via
> > TLS Tunnel" so this would lead me to believe it's fine but is that enough
> > to go on? Just trying to cover everything.
>
> The TLS tunnel protects the authentication, not the full RADIUS
> exchange. VLAN attributes are always outside the tunnel, they are
> standard RADIUS attributes. If you want the whole lot hidden you'll need
> to configure RadSec, but most RADIUS clients won't support that.
>
> The reply User-Name is set to whatever the FreeRADIUS policy sets it to,
> so if you are copying the inner tunnel User-Name back to the outer reply
> (e.g. via session-state) then that is what will get sent. The debug
> output will show what is happening.
>
> Note that a lot of devices will send the reply User-Name back as the
> User-Name in accounting messages, so if you want accounting to make
> sense you may need to send something clear back in the reply.
>
> But (without seeing any debug logs), sounds like it's all working as
> expected.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>