[EXT] TCPDump, able to see tunneled credentials?
Brian Julin
BJulin at clarku.edu
Fri Sep 13 14:31:26 UTC 2024
Connor Herring <connorrjherring at gmail.com> wrote:
> I'm a bit confused here. I've got EAP-TTLS/PAP set up. To ensure that
> everything was setup correctly, I have run a PCAP from the supplicant to
> see if I could see any auth details being sent (I couldn't), I have also
> run a PCAP from an AP in sniffer mode (also couldn't see anything, only
> probes and broadcasts), however, I ran a TCPDump on the RADIUS server
> itself and while I couldn't see the password that was being sent, I could
> see the tunnelled username and VLAN attributes in the Access-Accept.
> My question is, is this expected? Want to ensure this isn't just a
> misconfiguration.
Normal. The NAS does not get to see the password -- the encrypted tunnel
is built between the client and the RADIUS Server (except when he NAS is
performing as a surrogate as in mac-auth-bypass setups.)
But the NAS needs to know the VLAN attributes and there has to be a
UserName in the packets as well, IIRC due to EAP standards.
If the UserName in those packets is the one used on the inside tunnel
and not the outer wrapper (they can be different), then your RADIUS
server is intentionally configured to leak that username.
This is fairly common when you want real usernames in your NAS
administrative interfaces for visibility, or when making policy decisions
based on usernames with local rules programmed into the NAS.
Under typical models prevalent when RADIUS was designed, NAS and RADIUS
server were connected on an isolated internal VLAN so this was not a privacy
concern. As things became more cloud-based, this was no longer the case.
RADIUS does protect against alteration of these attributes on the wire
using a Message-Authenticator (caveat: proper countermeasures for
BlastRADIUS needed.)
If you do not have a protected communication channel between the NAS
and RADIUS server, and you need privacy protection of the attributes, then
check if the NAS supports RadSec (RADIUS/TLS). If it does not, pursue building
an IPSec tunnel to protect it.
In general, the recommendation these days is to move to RadSec whenever
you can.
More information about the Freeradius-Users
mailing list