sha128 or sha256 support?
Hello, Does FreeRadius support sha128 or sha256 for the user encrypted password?We are using the internet to communicate between the radius server and network devices.Therefore more strong encrypted password method seems necessary. Thanks a lot,Paul
On May 26, 2021, at 3:03 PM, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Does FreeRadius support sha128 or sha256 for the user encrypted password?
Yes. The PAP module supports a wide range of encrypted passwords.
We are using the internet to communicate between the radius server and network devices.Therefore more strong encrypted password method seems necessary.
That is not how RADIUS works. The passwords between the NAS and the RADIUS server are already encrypted with the RADIUS shared secret. The RADIUS server gets a clear-text password in the User-Password attribute. How the passwords are stored in the DB (SHA or whatever) is entirely unrelated. Alan DeKok.
Hi Alan, Now I understand the difference between the RADIUS/NAS encryption and user-password encryption. Per the FreeRADIUS document, "That shared secret followed by the Request Authenticator is put through a one-way MD5 hash to create a 16 octet digest value which is xored with the password entered by the user, and the xored result placed in the User-Password attribute in the Access-Request packet." Now I am just wondering how strong the encryption is on the request packet between RADIUS and NAS.If it is just MD5, then the password could be very quickly cracked. Would it be secure enough to use the communication between RADIUS and NAS over the internet? Thanks a lot,Paul On Wednesday, May 26, 2021, 2:25:28 PM PDT, Alan DeKok <aland@deployingradius.com> wrote: On May 26, 2021, at 3:03 PM, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Does FreeRadius support sha128 or sha256 for the user encrypted password?
Yes. The PAP module supports a wide range of encrypted passwords.
We are using the internet to communicate between the radius server and network devices.Therefore more strong encrypted password method seems necessary.
That is not how RADIUS works. The passwords between the NAS and the RADIUS server are already encrypted with the RADIUS shared secret. The RADIUS server gets a clear-text password in the User-Password attribute. How the passwords are stored in the DB (SHA or whatever) is entirely unrelated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, Are you sending plain text passwords? if worried about the RADIUS datagram being sniffed and attacked then maybe EAP or RADSEC is the way to go... alan
Hello Alan, Probably I am wrong but per my understanding from the "Alan DeKok"'s previous comment, the secret set between the RADIUS and the NAS is always used for the encryption of the user password regardless it is a plain-text or SHA1 encrypted. Basically the encryption of the packets between the RADIUS and the NAS seems nothing to do with the way of the password store either plain-text or SHA1 in the authorize file. My question was how secure the password encryption(based on the secret) in the in-flight packets was if the communication between the RADIUS and the NAS was via the internet. Since it is MD5, it seems not secure enough to send the request datagrams over the internet. Do we have any documents of Radsec or EAP for its actual installation over FreeRadius ? Thanks a lot,Paul On Thursday, May 27, 2021, 1:47:55 AM PDT, Alan Buxey <alan.buxey@gmail.com> wrote: hi, Are you sending plain text passwords? if worried about the RADIUS datagram being sniffed and attacked then maybe EAP or RADSEC is the way to go... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 27, 2021, at 12:51 AM, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Per the FreeRADIUS document, "That shared secret followed by the Request Authenticator is put through a one-way MD5 hash to create a 16 octet digest value which is xored with the password entered by the user, and the xored result placed in the User-Password attribute in the Access-Request packet." Now I am just wondering how strong the encryption is on the request packet between RADIUS and NAS.If it is just MD5, then the password could be very quickly cracked. Would it be secure enough to use the communication between RADIUS and NAS over the internet?
It's strong enough for most purposes. But... it's better to use radsec or IPSec. The server comes with documentation on radsec. See raddb/sites-available/tls Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Honglak Kim