password encrypt

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Nov 22 17:47:43 CET 2011


On 22 Nov 2011, at 17:32, Dale Grice wrote:

> Hi all,
> 
> 
> I am hoping that someone can verify my understanding of one part of the Xauth process. I am using a Juniper SSG as a firewall and need to allow access from a vendor on the untrust zone to a server on a demil zone for admin purposes.
> 
> My understanding is that freeradius uses the secret password in the clients.conf file to encrypt the user password sent to the Juniper in this case, which then sends to the untrust user for verification. Is this correct. I am trying to determine if the password is in the clear on the Internet or if I have to go through the trouble of setting up a VPN between the vendor and the server.

It's as good as in the clear. Don't send RADIUS packets with User-Password attributes over the public net with the standard RADIUS reversible encryption defined in RFC 2865. It's based on MD5, and MD5 has been horribly broken for years.

If you want to do this you should download version 3 head, and use the RADSEC functionality, with two RADIUS servers, one acting as a translator for the Juniper between RADSEC and UDP based RADIUS. Or like you say, use a VPN.

Arran Cudbard-Bell
a.cudbardb at freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111122/056b3e66/attachment.html>


More information about the Freeradius-Users mailing list