PAM_Radius EAP-TTLS

Qrious Qrious at semtexgaming.com
Fri Aug 21 11:29:17 CEST 2015


Hi,

I'm setting up a RADIUS server which among others has to be linked to
PAM. One of my primary requirements is that is uses secure
cryptography.  The main question is:

1. Does the PAM Radius module support EAP-TTLS with an inner tunnel of PAP?

I did some research and came accross
http://lists.freeradius.org/pipermail/freeradius-users/2013-December/069408.html,
which unfortunately doesn't answer my question.
I scanned through the sourcecode of the PAM_radius module, which does
not have any indication of TLS support.

Background:

Most supported protocols are based on MD5, which has been severly
comprimised[1], or a single DES key (MSCHAP V2) [2], which is also
comprimised. So that only leaves the TLS based protocols,

Based on [3] I assume I should use PAP for the inner tunnel, because
this enables me to store hashed password (will use SSHA512).

If you know a more secure setup, don't hesitate to advice me :). Also
if I made a mistake somewhere, don't hesitate to correct me :)

As a final remark, I think it would be beneficial for the security of
many account details, both transfered and stored for (FREE)RADIUS, to
include clear warnings on the pages about insecure
protocols/authentication standards.


[1] https://en.wikipedia.org/wiki/MD5
[2] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
[3] http://deployingradius.com/documents/protocols/compatibility.html


More information about the Freeradius-Users mailing list