Hi,
insecure hashing/encryption method does not compromise the entire security of RADIUS.
incorrectly/poorly configured CLIENTS can comprise the entire security of RADIUS. if you are tunneling the credentials through a link using eg TLS 1.2, using a private CA and the client is configured to ONLY trust that CA (and not soem public one) and trust the CN (and not just any server cert from that CA) then you have a solid target to attack. MSCHAPv2 etc have their issues - but when you have no alternatives presented then having them wrapped up in the correct TLS tunnel is the answer.
- https://www.ietf.org/rfc/rfc6614.txt and (related) https://en.wikipedia.org/wiki/Diameter_(protocol) (why would someone make this if RADIUS itself is secure?)
actually its because they (Diameter folk) are crazy ;-)
- It should be noted that back in 2002 Microsoft already called the usage of EAP-(T)TLS or IPSEC for RADIUS traffic 'best practice' (see previously mentioned MSDN page).
ah, Microsoft who have ensured their RADIUS platform supports RADSEC...oh..no..wait a minute :/ alan