Tomasz Wolniewicz <[EMAIL PROTECTED]> wrote: > Suppose we want to use PAP-TTLS. > It would seem natural that the proxying is done on the basis of the outer > identity and the tunneled data is never revealed to the proxy server > at org-2. Unfortunately our tests seem to show that the server at org-2 needs > to get the user data, including the password.
I wouldn't say "needs", but "has access to". > Is it possible to configure things in the secure way? Of course, the > servers need to trust each other, but some trust is one thing and seeing > passwords in plain text is another. I realise that other forms of > authentication, which do not transmit passwords will not have that problem. If you're using normal PAP without TTLS, the proxy server has access to the clear-text password for the user, as it's in the packet. TTLS + PAP is no different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html