Secure auth methods pam_radius

Bob Probert bruisebrotherprobert at
Tue Dec 3 20:57:46 CET 2013

Alan and Arran,

Thanks for your response.

The security of Radius has been questioned on a number of occasions, it not
out of line to question it on the Radius Users mailing list.

On Tue, Dec 3, 2013 at 10:11 AM, Alan DeKok <aland at>wrote:

> Bob Probert wrote:
> > In my understanding RADIUS provides security in the form of an MD5 hash
> > -- not ideal.
>   I said RADIUS secures the password.  I meant that.
>   It helps to understand the system before trying to fix it.
> > Has RADSEC been implemented for this PAM module? If not, how is the
> > community sanitizing this traffic? IPSEC? STUNNEL?
>   You're asking the wrong questions.  Your questions are based on a
> false assumption: that the password is insecure in normal RADIUS.
>   There is no evidence to believe that this is true.
>   If you want the traffic to be *more* secure, set the RADIUS server to
> be, and run a RADIUS proxy on the local machine.  It can then
> do RadSec to anywhere you want.
>   Or, you can configure IPSec, so that the RADIUS PAM module
> communicates with the RADIUS server over a network secured by IPSec.
>   Both solutions require *zero* changes to the PAM module.  All they
> require is a little knowledge of networking.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list