Thomas Glanzmann wrote:
thanks for the thorough explanation, I'll go with IPSEC or openvpn. I recall reading in Bruce Schneiers book 'Secret and lies' that xor is only secure if you use the key only once, so it is very easy to break it if you see enough traffic, probably also with different usernames.
No. This is why you leave crypto to the experts. The above explanation is based on a superficial understanding "xor is bad", without also knowing how the RADIUS "encryption" method works. The people who designed RADIUS aren't complete idiots, they do NOT use the same key to encrypt passwords for different usernames. I do *not* want misinformation to be spread on this list. For NAS to RADIUS server communication, IPSec is probably overkill. The NAS doesn't do IPSec, so you still have "insecure" traffic between the NAS and the local IPSec gateway. All of this traffic is on a local intranet. So... you might as well just use plain RADIUS. Pick a strong shared secret, and don't worry about it. Over-complicating things means that your network is more fragile, and less likely to work. The main use for IPSec in RADIUS is for long-haul links. e.g. across the Internet, or between multiple campuses of a company. Don't over-think the problem. And as always, be careful before ignoring the advice on this list. Alan DeKok.