PAM_Radius EAP-TTLS
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Fri Aug 21 15:39:38 CEST 2015
Hi,
> insecure hashing/encryption method does not compromise the entire
> security of RADIUS.
incorrectly/poorly configured CLIENTS can comprise the entire security of RADIUS.
if you are tunneling the credentials through a link using eg TLS 1.2, using a private
CA and the client is configured to ONLY trust that CA (and not soem public one) and
trust the CN (and not just any server cert from that CA) then you have a solid
target to attack. MSCHAPv2 etc have their issues - but when you have no alternatives presented
then having them wrapped up in the correct TLS tunnel is the answer.
> - https://www.ietf.org/rfc/rfc6614.txt and (related)
> https://en.wikipedia.org/wiki/Diameter_(protocol) (why would someone
> make this if RADIUS itself is secure?)
actually its because they (Diameter folk) are crazy ;-)
> - It should be noted that back in 2002 Microsoft already called the
> usage of EAP-(T)TLS or IPSEC for RADIUS traffic 'best practice' (see
> previously mentioned MSDN page).
ah, Microsoft who have ensured their RADIUS platform supports RADSEC...oh..no..wait a minute :/
alan
More information about the Freeradius-Users
mailing list