How secure is the radius encryption

Alan DeKok aland at
Wed Apr 4 09:57:30 CEST 2012

Thomas Glanzmann wrote:
> thanks for the thorough explanation, I'll go with IPSEC or openvpn. I
> recall reading in Bruce Schneiers book 'Secret and lies' that xor is
> only secure if you use the key only once, so it is very easy to break it
> if you see enough traffic, probably also with different usernames.


  This is why you leave crypto to the experts.

  The above explanation is based on a superficial understanding "xor is
bad", without also knowing how the RADIUS "encryption" method works.

  The people who designed RADIUS aren't complete idiots, they do NOT use
the same key to encrypt passwords for different usernames.

  I do *not* want misinformation to be spread on this list.

  For NAS to RADIUS server communication, IPSec is probably overkill.
The NAS doesn't do IPSec, so you still have "insecure" traffic between
the NAS and the local IPSec gateway.  All of this traffic is on a local
intranet.  So... you might as well just use plain RADIUS.

  Pick a strong shared secret, and don't worry about it.
Over-complicating things means that your network is more fragile, and
less likely to work.

  The main use for IPSec in RADIUS is for long-haul links.  e.g. across
the Internet, or between multiple campuses of a company.

  Don't over-think the problem.

  And as always, be careful before ignoring the advice on this list.

  Alan DeKok.

More information about the Freeradius-Users mailing list