Best Practices - maximum NAS entries in clients.conf
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Sep 12 17:01:32 CEST 2011
On 12 Sep 2011, at 16:41, Bruce Nunn wrote:
> If the network your APs are on is physically secure, and you don't need accounting for individual APs, you can use netmasks to define clients in the clients.conf file.
>
Why would using a shared, shared secrets or netmasks mess with accounting? But yes, honestly, MD5 has been broken for some time, the only reason to use individual shared secrets is if you're still running something like PAP for Terminal login to the Access Point itself.
Using a shared, shared secret does reduce the security of the protocol and increase the probability that the secret could be obtained... and of course if you've got one you've got them all.
But if you're just running EAP with a TLS layer, then the only thing it buys you is DDOS protection, and request/response Integrity and thats only useful if the attacker is in a position to play MITM, or flood your server with requests...
-Arran
Arran Cudbard-Bell
a.cudbardb at freeradius.org
RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
More information about the Freeradius-Users
mailing list