Actually - not really a silly question! Since you reported what actually happened and why I suspect the information will be useful to others who attempt to do the same thing (two servers running on the same box) and run into the same senario...
Of course it DOES require someone to look at the archives! [grin] gm... ----- Original Message ----- From: "Tomasz Wolniewicz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 16, 2004 7:55 AM Subject: Re: EAP-TTLS proxying > I hoped noone will bring that up, since this was my silly mistake. > Of course everything is just as it should be and the reason for this odd > behavour was that out of laziness we have set up two servers on one > machine (on different ports). Obviously radius realises that keys and > everything are the same so it does not bother doing a TTLS proxy. > > So unfortunaley this was a silly question, and no problem on the side of > freeradius. > Tomasz > > On Fri, Jul 16, 2004 at 12:24:31PM +0100, Luis Guido wrote: > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On > > > Behalf Of Tomasz Wolniewicz > > > Sent: Tuesday, July 13, 2004 21:30 > > > To: [EMAIL PROTECTED] > > > Subject: EAP-TTLS proxying > > > > > > > > > I hope this is not a totally stupid question. > > > Suppose a user [EMAIL PROTECTED] wants to access the network at org-2 by > > > authenticating at org-1 via the proxy mechanism. > > > Suppose we want to use PAP-TTLS. > > > It would seem natural that the proxying is done on the basis > > > of the outer > > > identity and the tunneled data is never revealed to the proxy server > > > at org-2. > > > > Yes that's exacly how it should be. > > > > > Unfortunately our tests seem to show that the > > > server at org-2 needs > > > to get the user data, including the password. > > > > Very weird.... I have that same scenario and password AND inner username > > is never revealed. Because that information is tunneled on a secure TLS > > tunnel and encapsulated on a EAP packet. The 1st server (that acts as a > > proxy) just see some anonymous username an EAP-Message , and some more > > stuff (Message-Authenticator; etc...) but never the real username and > > password. The org-2 server CAN'T open a TLS connection to get access to > > the "critit information": user+pass!!! If that happen that's no longer a > > "secure connection" :) > > > > > Is it possible to configure things in the secure way? Of course, the > > > servers need to trust each other, but some trust is one thing > > > and seeing > > > passwords in plain text is another. I realise that other forms of > > > authentication, which do not transmit passwords will not have > > > that problem. > > > > That's the way things are suposed to be.... Only the authentication > > server has access to user+pass.... > > Can you send the config? We have a cookbook for freeradius (is all in > > portuguese but the configuration part is in "native english") at: > > http://www.fccn.pt/index.php?module=pagemaster&PAGE_user_op=view_page&PA > > GE_id=199&MMN_position=140:4:90 > > > > You are welcome to download, try and comment it off course. > > Contributions are most welcome! > > > > Luis Guido > > > > > Yours > > > Tomasz > > > > > > -- > > > Tomasz M. Wolniewicz > > > [EMAIL PROTECTED] > > > http://www.uni.torun.pl/~twoln > > > > > > Uczelniane Centrum > > > Informatyczne Information&Communication Technology Centre > > > Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, > > > pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland > > > tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: > > > +48-693-032-576 > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > Tomasz Wolniewicz > [EMAIL PROTECTED] http://www.uni.torun.pl/~twoln > > Uczelniane Centrum Informatyczne Information&Communication Technology Centre > Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, > pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland > tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
