PAM_Radius EAP-TTLS

Alan DeKok aland at deployingradius.com
Fri Aug 21 12:21:07 CEST 2015


On Aug 21, 2015, at 5:29 AM, Qrious <Qrious at semtexgaming.com> wrote:
> I'm setting up a RADIUS server which among others has to be linked to
> PAM. One of my primary requirements is that is uses secure
> cryptography.  The main question is:
> 
> 1. Does the PAM Radius module support EAP-TTLS with an inner tunnel of PAP?

  No.

> Most supported protocols are based on MD5, which has been severly
> comprimised[1], or a single DES key (MSCHAP V2) [2], which is also
> comprimised. So that only leaves the TLS based protocols,

  That's a simplistic approach.  Relying on buzzwords is no substitute for understanding.

  The truth is that the use of MD5 in RADIUS has no known security problems.  So your worries are unfounded.

> If you know a more secure setup, don't hesitate to advice me :). Also
> if I made a mistake somewhere, don't hesitate to correct me :)

  Use RADIUS the way it was designed.  The people who've spent 20 years working with it are competent.

> As a final remark, I think it would be beneficial for the security of
> many account details, both transfered and stored for (FREE)RADIUS, to
> include clear warnings on the pages about insecure
> protocols/authentication standards.

  No.  Because there are no security problems.

  Honestly, do you think in 2015 that we'd be recommending the use of protocols which were broken and insecure?  Even Microsoft doesn't do that any more.

  Alan DeKok.




More information about the Freeradius-Users mailing list