Proxy-tester nagios check for Freeradius

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Proxy-tester nagios check for Freeradius

Fekete Tamás
Hello!

I would like to make a proxy-tester Nagios check for Freeradius and would
like to ask some help for debugging as I experience some problem with using
eapol_test.

The design is that a user wants to authenticate at realm "A" with
credentials stored at realm "B".
The infrastructure already set up for proxying based on the realm names and
the Access-Requests are do forwarded.

I tried this proxy scenario with radtest. And with radtest it works.

However, I have some questions regarding this developer work.
Maybe you can help me.

The first is: is it true, that radtest doesn't encrypt it's messages so
proxy requests will contain the password in a recoverable manner?

-  Tamas Fekete
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy-tester nagios check for Freeradius

Alan DeKok-2
On Feb 5, 2019, at 5:58 AM, Fekete Tamás <[hidden email]> wrote:
>
> I would like to make a proxy-tester Nagios check for Freeradius and would
> like to ask some help for debugging as I experience some problem with using
> eapol_test.
>
> The design is that a user wants to authenticate at realm "A" with
> credentials stored at realm "B".
> The infrastructure already set up for proxying based on the realm names and
> the Access-Requests are do forwarded.

  OK...

> I tried this proxy scenario with radtest. And with radtest it works.
>
> However, I have some questions regarding this developer work.
> Maybe you can help me.
>
> The first is: is it true, that radtest doesn't encrypt it's messages so
> proxy requests will contain the password in a recoverable manner?

  The User-Password attribute is protected "on the wire".  The passwords are recoverable, because the home server has to check them.

  See RFC 2865 Section 5.2 for more information.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Proxy-tester nagios check for Freeradius

Fekete Tamás
Thank you!
It solved all my further questions.

Alan DeKok <[hidden email]> ezt írta (időpont: 2019. febr. 5.,
K, 14:01):

> On Feb 5, 2019, at 5:58 AM, Fekete Tamás <[hidden email]> wrote:
> >
> > I would like to make a proxy-tester Nagios check for Freeradius and would
> > like to ask some help for debugging as I experience some problem with
> using
> > eapol_test.
> >
> > The design is that a user wants to authenticate at realm "A" with
> > credentials stored at realm "B".
> > The infrastructure already set up for proxying based on the realm names
> and
> > the Access-Requests are do forwarded.
>
>   OK...
>
> > I tried this proxy scenario with radtest. And with radtest it works.
> >
> > However, I have some questions regarding this developer work.
> > Maybe you can help me.
> >
> > The first is: is it true, that radtest doesn't encrypt it's messages so
> > proxy requests will contain the password in a recoverable manner?
>
>   The User-Password attribute is protected "on the wire".  The passwords
> are recoverable, because the home server has to check them.
>
>   See RFC 2865 Section 5.2 for more information.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html