TCPDump, able to see tunneled credentials?
Connor Herring
connorrjherring at gmail.com
Fri Sep 13 11:27:41 UTC 2024
Hi Matthew and Alan,
Many thanks for the information, you've been really helpful. I've already
got everything apart from EAP disabled in sites-enabled/default >
authentication so should be good!
Kind regards,
Connor
On Fri, Sep 13, 2024 at 12:23 PM Matthew Newton via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:
> On 13/09/2024 12:10, Connor Herring wrote:
> > Thanks for this, it does put my mind at ease. Is there any way other
> > than various PCAPs that you would be able to tell if something sensitive
> > like the password was being seen outside the tunnel?
>
> tcpdump, radsniff, FreeRADIUS debug output. But ultimately they'll all
> tell you the same thing.
>
> > I think I've proved
> > that you can't, pretty conclusively but just want to be sure.
>
> Literally all the RADIUS stuff is outside the tunnel. Which is why it's
> recommended to keep RADIUS on a private network and to use RadSec if
> possible. e.g. device MAC addresses etc are all in the clear. People run
> RADIUS over the Internet and I have no idea why you would even consider
> doing that.
>
> But in terms of authentication, disable all the auth stuff in the outer
> tunnel (sites-enabled/default) except eap, then nothing else can work.
> At that point you've pretty much done everything you can.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list