Hi, > Yes, I am aware privacy is a concern. As I am doing some tests, I > thought it would be easier to debug if there's a way to relate a request > to a proxied username. This is technically not possible or it's more a > political matter? >
Technically impossible until you break TLS. OR make a deal with the home server that it reveals the actual user name to you. > I thought the outer-tunnel is set up to secure the connection between the > user and the authentication server. And the *home* authentication server. If you operate a proxy in the middle between user and home server, you will not see the inner tunnel credentials. > So the Authentication has access to > the unencrypted data which it in turn queries proxies to verify the > received credentials; Only the *home* authentication server has access to the credentials. These credentials are typically not proxied anywhere (there are exceptions at the discretion of that home server). > this data is encrypted using the home-server shared > key. Please enlighten me if this is not correct. > The shared secret ensures packet integrity between RADIUS peers, i.e. between your proxy and the home server. With EAP authentication, it does *not* add anything to credential encryption - that happens entirely in the EAP tunnel. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
