20 Dec
2019
20 Dec
'19
8:41 a.m.
On Dec 20, 2019, at 8:39 AM, Sven Hartge <sven@svenhartge.de> wrote:
On 20.12.19 13:53, Alan DeKok wrote:
Using multiple passwords doesn't really help. If the DB is compromised, then *all* passwords are compromised.
Unless you store the password for freeradius in a different database/LDAP server/$whatever from the main password.
This is what I do. The LDAP servers for the network password are separate from the main authentication servers and the RADIUS servers can only interact with their special LDAP servers.
Should the RADIUS servers somehow get compromised, the attacked can only read the lower-value network password from there and not everything else.
That works. I'm just too lazy to do that. :) Alan DeKok.