a bit off-topic policy question

Matt Ashfield mda at unb.ca
Mon Jan 8 20:14:45 CET 2007


Hi All

We're in the process of setting up our wireless system to use radius
authentication against our usernames/passwords which are stored in LDAP.

We have come across an issue in testing the radius server. We are using
Freeradius. 

The way we have this setup is quite standard (I hope). The user associates
to the AccessPoint (AP) and is prompted for authentication credentials for
access to the network. The AP sends the client's username/password
credentials to the Radius server. This connection is secured. The Radius
server then attempts to bind to the ldap server (again, a secured
connection) using the clients credentials. 

The issue we have is when running the Radius server in debug mode with full
log-level, we see the cilent's username and password in clear-text as it
attempts to bind to the LDAP server. Certainly we could change the debug
mode level to not see this, but the fact that the ability to see that is
available is troubling. I'm sure many others on this list use FreeRadius and
I'm wondering what sort of policies you have in place to address this
security risk. Anyone with high-level access to the box could certainly
login, make a change to the debug level and capture sensitive login
information.

Any advice/feedback is appreciated.

Thanks

Matt
mda at unb.ca






More information about the Freeradius-Users mailing list