Hi, I'm trying to setup a radius server in order to authenticate users from OpenVPN and I am therefore using the libpam-radius-auth plugin (on Ubuntu 9.10). Since the RADIUS requests that this lib sends are using PAP (as far as I can tell from the freeradius debug output), i was wondering whether it would be possible to send EAP message using libpam-radius-auth (or at least [MS]CHAP) ? I don't even know if it makes sense since EAP messages are in theory sent between the radius server and the access client (not the radius client as libpam-radius-auth enables a host to be). The point is that i don't quite like my users' password (connected via OpenVPN) to be weakly encrypted by the shared secret between the radius client and server and even worse, visible as plain-text in FR debug output. I hope someone will be able to shed some light here because i might be confused over this whole EAP over RADIUS thing... I just want the easiest solution to make the radius communications more secure in my scenario. Thanks for you help ;) P.S: using IPSec to secure the channel between the radius client and server is too much pain in the ass to be considered as a viable solution. I'm not *that* paranoid !
Sebastien Chapiron wrote:
I'm trying to setup a radius server in order to authenticate users from OpenVPN and I am therefore using the libpam-radius-auth plugin (on Ubuntu 9.10). Since the RADIUS requests that this lib sends are using PAP (as far as I can tell from the freeradius debug output), i was wondering whether it would be possible to send EAP message using libpam-radius-auth (or at least [MS]CHAP) ?
Not at this time.
I don't even know if it makes sense since EAP messages are in theory sent between the radius server and the access client (not the radius client as libpam-radius-auth enables a host to be). The point is that i don't quite like my users' password (connected via OpenVPN) to be weakly encrypted by the shared secret between the radius client and server
That's how RADIUS works. I would suggest using a secure network to connect the RADIUS client and server.
and even worse, visible as plain-text in FR debug output.
That's how RADIUS works. Anyone having root on that machine can decode the passwords. Anyone running the server in debugging mode can see the passwords. MS-CHAP won't help. Your passwords are either stored in clear-text in the database (which means someone can read them), or they're hashed, which means (pretty much) that only PAP will work.
P.S: using IPSec to secure the channel between the radius client and server is too much pain in the ass to be considered as a viable solution. I'm not *that* paranoid !
<shrug> Using a real cryptographic protocol to secure network communications is the only way to have a secure network. Alan DeKok.
On Thu, Mar 11, 2010 at 5:55 PM, Alan DeKok <aland@deployingradius.com>wrote:
Sebastien Chapiron wrote:
P.S: using IPSec to secure the channel between the radius client and server is too much pain in the ass to be considered as a viable solution. I'm not *that* paranoid !
<shrug> Using a real cryptographic protocol to secure network communications is the only way to have a secure network.
Ok then, I'll stick to PAP. The need of a secure network is not the primary objective, I was just wondering if there was an easy solution to enhance the security ;) Thanks for your answer !
Regards, Seb
participants (2)
-
Alan DeKok -
Sebastien Chapiron