communication safe ssh <-> NAS <-> FreeRADIUS ?
Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Thanks, Regards, François
Am 19.05.2009 um 14:14 schrieb François Mehault:
Hi,
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don’t understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS …
Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear- text. Is it possible to use md5, ssha … and how ?
For the compatibility, see http://deployingradius.com/documents/ protocols/compatibility.html
Thanks,
Regards,
François
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for example, and freeradius check the MD5 hash. So I understand I have to use PAP ? In my modul ldap I think I have to put « password_attribute = userPassword ». But If I do, I have to put my password in clear in my ldap, otherwise it don't works. Also, I can comment the « password_attribute = userPassword » in my ldap module and put my password in md5/ssha etc... in openldap and it works. But I don't know very well why ?? modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } De : freeradius-users-bounces+francois.mehault=netplus.fr@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr@lists.freeradius.org] De la part de Nicolas Goutte Envoyé : mardi 19 mai 2009 14:45 À : FreeRadius users mailing list Objet : Re: communication safe ssh <-> NAS <-> FreeRADIUS ? Am 19.05.2009 um 14:14 schrieb François Mehault: Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? For the compatibility, see http://deployingradius.com/documents/protocols/compatibility.html Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for example, and freeradius check the MD5 hash. So I understand I have to use PAP ? In my modul ldap I think I have to put « password_attribute = userPassword ». But If I do, I have to put my password in clear in my ldap, otherwise it don't works.
Store password as {md5} and then encrypted value and enable auto header detection in pap module (it's disabled by default):
pap { encryption_scheme = "auto" auto_header = no }
Ivan Kalik Kalik Informatika ISP
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ?
Radius protocol *uses* md5 to encrypt password in the request. http://www.ietf.org/rfc/rfc2865.txt Ivan Kalik Kalik Informatika ISP
participants (3)
-
François Mehault -
Ivan Kalik -
Nicolas Goutte