https Radius authentication problem
Dear All Radius Developers, I am doing a web Radius authentication. I am also reading Mr. Alan DeKok's article about its security issue. https://github.com/FreeRADIUS/mod_auth_radius For http connection to the website, we know that the password is not encrypted. Now I set up a SSL certificate for the website in question. How do you rate the security of this https Radius authentication? Is the password, being sent over the internet, also encrypted by the usual SSL layer? Hope to receive your helpful response. Yours Faithfully, Timmy
On 13 Sep 2015, at 09:33, Timmy <moonyhk@netscape.net> wrote:
Dear All Radius Developers, I am doing a web Radius authentication. I am also reading Mr. Alan DeKok's article about its security issue. https://github.com/FreeRADIUS/mod_auth_radius For http connection to the website, we know that the password is not encrypted.
Now I set up a SSL certificate for the website in question. How do you rate the security of this https Radius authentication? Is the password, being sent over the internet, also encrypted by the usual SSL layer?
Yes. It's going over HTTP wrapped in SSL... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 13 Sep 2015, at 11:56, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 13 Sep 2015, at 09:33, Timmy <moonyhk@netscape.net> wrote:
Dear All Radius Developers, I am doing a web Radius authentication. I am also reading Mr. Alan DeKok's article about its security issue. https://github.com/FreeRADIUS/mod_auth_radius For http connection to the website, we know that the password is not encrypted.
Now I set up a SSL certificate for the website in question. How do you rate the security of this https Radius authentication? Is the password, being sent over the internet, also encrypted by the usual SSL layer?
Yes. It's going over HTTP wrapped in SSL...
Weirdly you're not the first person to ask this question... http://serverfault.com/questions/686962/mod-auth-radius-secure-over-https/68... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Dear All Radius Developers, I am doing a web Radius authentication. I am also reading Mr. Alan DeKok's article about its security issue. https://github.com/FreeRADIUS/mod_auth_radius For http connection to the website, we know that the password is not encrypted.
Now I set up a SSL certificate for the website in question. How do you rate the security of this https Radius authentication? Is the password, being sent over the internet, also encrypted by the usual SSL layer?
Yes. It's going over HTTP wrapped in SSL... Weirdly you're not the first person to ask this question...
http://serverfault.com/questions/686962/mod-auth-radius-secure-over-https/68...
I suggest the freeradius team append it on the freeradius wiki. Mr. Alan DeKok only mentions the problem of http, but never mentions the secure side of https with Radius Authentication :)
Why? Its not a RADIUS thing. It's an HTTPS thing - which is documented in FAQs elsewhere in their world. You can assume that when using HTTPS all client communication with the web server over that channel is secured by that SSL mechanism. (Let's ignore insecure certificates, MITM attacks, weak ciphers, various SSL attacks etc) alan
participants (3)
-
Alan Buxey -
Arran Cudbard-Bell -
Timmy