On Thu, Jun 18, 2009 at 08:30:27AM +0200, Stefan Winter wrote: > Hi, > > > Yes, I am aware privacy is a concern. As I am doing some tests, I > > thought it would be easier to debug if there's a way to relate a request > > to a proxied username. This is technically not possible or it's more a > > political matter? > > > > Technically impossible until you break TLS. OR make a deal with the home > server that it reveals the actual user name to you. > > > I thought the outer-tunnel is set up to secure the connection between the > > user and the authentication server. > > And the *home* authentication server. If you operate a proxy in the > middle between user and home server, you will not see the inner tunnel > credentials. > > > So the Authentication has access to > > the unencrypted data which it in turn queries proxies to verify the > > received credentials; > > Only the *home* authentication server has access to the credentials. > These credentials are typically not proxied anywhere (there are > exceptions at the discretion of that home server). > > > this data is encrypted using the home-server shared > > key. Please enlighten me if this is not correct. > > > > The shared secret ensures packet integrity between RADIUS peers, i.e. > between your proxy and the home server. With EAP authentication, it does > *not* add anything to credential encryption - that happens entirely in > the EAP tunnel.
Thanks for the clarifications. Cheers, Xiwen -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
