Attribute and Message Editing

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Attribute and Message Editing

Tahseen Hussain
Hi Everybody,

Is it possilbe to avoid attribute editing and message editing by using
EAP-TTLS   or EAP-PEAP in a proxy environment?

As far as I understton, In EAP-TTLS a tunnel is formed between a user and
the TTLS server, now this TTLS server will forward the request to the
proxy and proxy to the home radius server. So the threat here is from
proxy, which can falsely edit attribute and messages.

For example if home radius sever sends Accept-accept packet , it is
possible that a proxy can change the same packet to Access-Reject
(wantedly), so that the user will not be able to access visited network.


Thanks in advance,

Tahseen




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Attribute and Message Editing

Alan DeKok
"Tahseen Hussain" <[hidden email]> wrote:
> Is it possilbe to avoid attribute editing and message editing by using
> EAP-TTLS   or EAP-PEAP in a proxy environment?

  Yes.

> As far as I understton, In EAP-TTLS a tunnel is formed between a user and
> the TTLS server, now this TTLS server will forward the request to the
> proxy and proxy to the home radius server. So the threat here is from
> proxy, which can falsely edit attribute and messages.

  If the proxy terminates the TLS session.

> For example if home radius sever sends Accept-accept packet , it is
> possible that a proxy can change the same packet to Access-Reject
> (wantedly), so that the user will not be able to access visited network.

  Yes.

  Any proxy can do this, and there's nothing you can do to solve that
problem.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html