Of accounting data and security

Natr Brazell natrbrazell at gmail.com
Mon Aug 9 14:39:41 CEST 2010


Curious why we're fortunate?  Could you elaborate some?

On Sun, Aug 8, 2010 at 10:01 PM, Michael Lecuyer <mjl at iterpacis.org> wrote:

> TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+
> version, and packet sequence number. This is XOR'd over the packet.  The pad
> is in multiples of the MD5 hash length.
>
> The header is sent plain text and includes the sequence number, the session
> ID and version number.
>
> Encoding and decoding are symmetrical. It is not considered strong
> encoding.
>
> We're all fortunate RADIUS doesn't use this to encode packets.
>
> Natr Brazell wrote:
>
>> Thanks,
>>  I'm looking into IPSEC at the moment.  I'm curious how TACACS+ does their
>> encryption?
>>  N
>>
>> On Fri, Aug 6, 2010 at 4:09 PM, Alan DeKok <aland at deployingradius.com<mailto:
>> aland at deployingradius.com>> wrote:
>>
>>    Natr Brazell wrote:
>>     > Is there a way to secure the communication between the radius
>>    server and
>>     > the NAS especially wrt accounting data?
>>
>>     IPSec.
>>
>>     Most NASes implement IPv4, and not much else.  "Security" means "don't
>>    run RADIUS over a network where users have access".
>>
>>     Alan DeKok.
>>    -
>>    List info/subscribe/unsubscribe? See
>>    http://www.freeradius.org/list/users.html
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100809/bd2f6606/attachment.html>


More information about the Freeradius-Users mailing list