21 Oct
2010
21 Oct
'10
11:16 a.m.
On 21/10/10 15:50, Rowley, Mathew wrote:
Ah, that is true. I never though that deeply into it, and only did a POC. Is the downfall of doing things this way that passwords must be sent in the clear?
Not really. The User-Password radius field is "encrypted" with the shared secret, which is reasonable (though not excellent) security. For wireless/wired 802.1x users, the issue is that the windows supplicant does not *support* EAP-TTLS/PAP. It only supports EAP-PEAP/MS-CHAP, so rlm_krb5 is no use in this (common) case. As I say, if you're just checking PAP it may meet your needs.