TCPDump, able to see tunneled credentials?
Matthew Newton
mcn at freeradius.org
Fri Sep 13 11:22:03 UTC 2024
On 13/09/2024 12:10, Connor Herring wrote:
> Thanks for this, it does put my mind at ease. Is there any way other
> than various PCAPs that you would be able to tell if something sensitive
> like the password was being seen outside the tunnel?
tcpdump, radsniff, FreeRADIUS debug output. But ultimately they'll all
tell you the same thing.
> I think I've proved
> that you can't, pretty conclusively but just want to be sure.
Literally all the RADIUS stuff is outside the tunnel. Which is why it's
recommended to keep RADIUS on a private network and to use RadSec if
possible. e.g. device MAC addresses etc are all in the clear. People run
RADIUS over the Internet and I have no idea why you would even consider
doing that.
But in terms of authentication, disable all the auth stuff in the outer
tunnel (sites-enabled/default) except eap, then nothing else can work.
At that point you've pretty much done everything you can.
--
Matthew
More information about the Freeradius-Users
mailing list