Remote MySQL backend encryption
I see thats what I thought, I also confirmed its all clear text with tcpdump. If I were to switch my backend to an ldap system would I have encrypted traffic for user authentication with freeradius remote ldap/backend setup? Also is there a nas/radacct table equivalent in the ldap solution or is it strictly for user authentication? Message: 9 Date: Mon, 26 Apr 2010 15:04:17 -0400 From: John Dennis <jdennis@redhat.com> Subject: Re: Remote MySQL backend encryption To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4BD5E3B1.8060706@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed On 04/26/2010 01:57 PM, Eric.Hernandez@allegiantair.com wrote:
Hi,
I am trying to figure out if need to encrypt my traffic from a FreeRadius server to a remote MySQL backend.
I have the following setup.
FreeRadius/MySQL (Server1)
FreeRadius/MySQL (Server2) Both Server1 and Server2 are doing MySQL Master to Master (ssl) Replication
Now I want to add a third FreeRadius server without a local MySQL Backend.
So this third server will point to either Server1 or Server2 which runs MySQL but will these request be sent to the remote MySQL Servers in clear text?
This has nothing to do with how many MySQL servers you've got or how you're doing replication, encryption occurs on a per connection basis (e.g. connections established via rlm_sql_mysql). rlm_sql_mysql never opens an encrypted session with it's server because rlm_sql_mysql does not have an option to set SSL/TLS transport (e.g. does not call mysql_ssl_set()). That probably would be a good feature to add. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 04/26/2010 05:33 PM, Eric.Hernandez@allegiantair.com wrote:
I see thats what I thought, I also confirmed its all clear text with tcpdump.
If I were to switch my backend to an ldap system would I have encrypted traffic for user authentication with freeradius remote ldap/backend setup?
Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x
Also is there a nas/radacct table equivalent in the ldap solution or is it strictly for user authentication?
Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x FWIW, I don't have extra cycles at the moment. BTW, patching rlm_sql_mysql to use SSL wouldn't be hard. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On Tue, Apr 27, 2010 at 1:17 AM, John Dennis <jdennis@redhat.com> wrote:
On 04/26/2010 05:33 PM, Eric.Hernandez@allegiantair.com wrote:
I see thats what I thought, I also confirmed its all clear text with tcpdump.
If I were to switch my backend to an ldap system would I have encrypted traffic for user authentication with freeradius remote ldap/backend setup?
Or you could probably tunnel the traffic via SSH or some other encrypted medium. Given this will add overhead though I don't know to say how much in compared to other solutions, depending on your deployment I guess. Regards, Liran Tal.
Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x
Also is there a nas/radacct table equivalent in the ldap solution or is it strictly for user authentication?
Not currently, but I've got a patch for the 1.1.7 version of rlm_ldap, so it might need some tweaking for 2.x
FWIW, I don't have extra cycles at the moment.
BTW, patching rlm_sql_mysql to use SSL wouldn't be hard.
-- John Dennis <jdennis@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Eric.Hernandez@allegiantair.com -
John Dennis -
liran tal