Secure auth methods pam_radius

Alan DeKok aland at
Tue Dec 3 19:11:17 CET 2013

Bob Probert wrote:
> In my understanding RADIUS provides security in the form of an MD5 hash
> -- not ideal.

  I said RADIUS secures the password.  I meant that.

  It helps to understand the system before trying to fix it.

> Has RADSEC been implemented for this PAM module? If not, how is the
> community sanitizing this traffic? IPSEC? STUNNEL?

  You're asking the wrong questions.  Your questions are based on a
false assumption: that the password is insecure in normal RADIUS.

  There is no evidence to believe that this is true.

  If you want the traffic to be *more* secure, set the RADIUS server to
be, and run a RADIUS proxy on the local machine.  It can then
do RadSec to anywhere you want.

  Or, you can configure IPSec, so that the RADIUS PAM module
communicates with the RADIUS server over a network secured by IPSec.

  Both solutions require *zero* changes to the PAM module.  All they
require is a little knowledge of networking.

  Alan DeKok.

More information about the Freeradius-Users mailing list