Is vulnerabe the process of sending credentials to a NAS ?

Alan DeKok aland at
Fri Jan 22 17:31:20 CET 2016

On Jan 22, 2016, at 11:22 AM, Daniel Lopez <danilogo1991 at> wrote:
> Hello. I've got a doubt about the security in authentication process.
> Suppose we have our Freeradius server configured to authenticate a certain
> user via password (Cleartext-Password) and MAC address
> (Calling-Station-Id). When this user tries to authenticate via a NAS
> (wireless router), and sends it its credentials, is it possible that an
> attacker could obtain those credentials by sniffing the comunication? And
> then gain access by mac address spoofing?

  If they can see the RADIUS traffic, yes.

  But someone on the LAN can see the MAC address anyways.

> And if so, How could this be avoided? How to protect this first step?

  RADIUS over TLS, or IPSec to protect the RADIUS traffic.

  Nothing can be done to hide the MAC on the local network.  Your only choice there is to move to something like EAP, where you're authenticating via TLS, and not via an easily spoofed MAC address.

  Alan DeKok.

More information about the Freeradius-Users mailing list