Of accounting data and security
Michael Lecuyer
mjl at iterpacis.org
Mon Aug 9 04:01:24 CEST 2010
TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+
version, and packet sequence number. This is XOR'd over the packet. The
pad is in multiples of the MD5 hash length.
The header is sent plain text and includes the sequence number, the
session ID and version number.
Encoding and decoding are symmetrical. It is not considered strong encoding.
We're all fortunate RADIUS doesn't use this to encode packets.
Natr Brazell wrote:
> Thanks,
>
> I'm looking into IPSEC at the moment. I'm curious how TACACS+ does
> their encryption?
>
> N
>
> On Fri, Aug 6, 2010 at 4:09 PM, Alan DeKok <aland at deployingradius.com
> <mailto:aland at deployingradius.com>> wrote:
>
> Natr Brazell wrote:
> > Is there a way to secure the communication between the radius
> server and
> > the NAS especially wrt accounting data?
>
> IPSec.
>
> Most NASes implement IPv4, and not much else. "Security" means "don't
> run RADIUS over a network where users have access".
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list