TCPDump, able to see tunneled credentials?
Alan DeKok
aland at deployingradius.com
Fri Sep 13 11:21:16 UTC 2024
On Sep 13, 2024, at 7:10 AM, Connor Herring <connorrjherring at gmail.com> wrote:
> Thanks for this, it does put my mind at ease. Is there any way other than
> various PCAPs that you would be able to tell if something sensitive like
> the password was being seen outside the tunnel? I think I've proved that
> you can't, pretty conclusively but just want to be sure.
Look at the debug output, or pcap files.
But the protocol designers aren't dumb. Anything *truly* sensitive (like Tunnel-Password) is protected by design.
The contents of the Access-Accept *must* be in the clear (mostly), because otherwise the NAS can't see them. There's no point in sending reply attributes inside of the TLS tunnel for TTLS, because the TLS tunnel goes to the supplicant, and not to the NAS.
If you truly want privacy in RADIUS, use RADIUS/TLS (RadSec). Nothing else will protect all of the traffic.
Alan DeKok.
More information about the Freeradius-Users
mailing list