> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Tomasz Wolniewicz > Sent: Tuesday, July 13, 2004 21:30 > To: [EMAIL PROTECTED] > Subject: EAP-TTLS proxying > > > I hope this is not a totally stupid question. > Suppose a user [EMAIL PROTECTED] wants to access the network at org-2 by > authenticating at org-1 via the proxy mechanism. > Suppose we want to use PAP-TTLS. > It would seem natural that the proxying is done on the basis > of the outer > identity and the tunneled data is never revealed to the proxy server > at org-2.
Yes that's exacly how it should be. > Unfortunately our tests seem to show that the > server at org-2 needs > to get the user data, including the password. Very weird.... I have that same scenario and password AND inner username is never revealed. Because that information is tunneled on a secure TLS tunnel and encapsulated on a EAP packet. The 1st server (that acts as a proxy) just see some anonymous username an EAP-Message , and some more stuff (Message-Authenticator; etc...) but never the real username and password. The org-2 server CAN'T open a TLS connection to get access to the "critit information": user+pass!!! If that happen that's no longer a "secure connection" :) > Is it possible to configure things in the secure way? Of course, the > servers need to trust each other, but some trust is one thing > and seeing > passwords in plain text is another. I realise that other forms of > authentication, which do not transmit passwords will not have > that problem. That's the way things are suposed to be.... Only the authentication server has access to user+pass.... Can you send the config? We have a cookbook for freeradius (is all in portuguese but the configuration part is in "native english") at: http://www.fccn.pt/index.php?module=pagemaster&PAGE_user_op=view_page&PA GE_id=199&MMN_position=140:4:90 You are welcome to download, try and comment it off course. Contributions are most welcome! Luis Guido > Yours > Tomasz > > -- > Tomasz M. Wolniewicz > [EMAIL PROTECTED] > http://www.uni.torun.pl/~twoln > > Uczelniane Centrum > Informatyczne Information&Communication Technology Centre > Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, > pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland > tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: > +48-693-032-576 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html