Is there a best practice around credential storage?
Alan DeKok
aland at deployingradius.com
Fri Dec 20 14:41:43 CET 2019
On Dec 20, 2019, at 8:39 AM, Sven Hartge <sven at svenhartge.de> wrote:
>
> On 20.12.19 13:53, Alan DeKok wrote:
>
>> Using multiple passwords doesn't really help. If the DB is compromised, then *all* passwords are compromised.
>
> Unless you store the password for freeradius in a different
> database/LDAP server/$whatever from the main password.
>
> This is what I do. The LDAP servers for the network password are
> separate from the main authentication servers and the RADIUS servers can
> only interact with their special LDAP servers.
>
> Should the RADIUS servers somehow get compromised, the attacked can only
> read the lower-value network password from there and not everything else.
That works.
I'm just too lazy to do that. :)
Alan DeKok.
More information about the Freeradius-Users
mailing list