Of accounting data and security
Michael Lecuyer
mjl at iterpacis.org
Mon Aug 9 18:52:33 CEST 2010
We would be stuck with static weak security built in to RADIUS just like
TACACS uses.
There are options for securely tunneling RADIUS packets that weren't
available in the early years. Secure tunneling doesn't require changes
to the RADIUS protocol. The EAP-TLS extension alone has made most of
RADIUS secure.
For TACACS changing the encoding means re-writing every client and
server. Tunneling TCP through SSL takes way too many packets to
efficiently perform a large number of each separate authentication,
authorization and accounting transaction.
Built in transport security is a bad idea. For TACACS it is the only way
since PAP/ASCII authentication and password changes really are sent in
plain text.
Please, no more talk of TACACS. Its not a good example of anything.
Natr Brazell wrote:
> Curious why we're fortunate? Could you elaborate some?
>
> On Sun, Aug 8, 2010 at 10:01 PM, Michael Lecuyer <mjl at iterpacis.org
> <mailto:mjl at iterpacis.org>> wrote:
>
> TACACS+ uses an MD5 pad based on the session ID, shared secret,
> TACACS+ version, and packet sequence number. This is XOR'd over the
> packet. The pad is in multiples of the MD5 hash length.
>
> The header is sent plain text and includes the sequence number, the
> session ID and version number.
>
> Encoding and decoding are symmetrical. It is not considered strong
> encoding.
>
> We're all fortunate RADIUS doesn't use this to encode packets.
>
> Natr Brazell wrote:
More information about the Freeradius-Users
mailing list