sha128 or sha256 support?
honglak_kim at yahoo.com
Thu May 27 06:51:53 CEST 2021
Now I understand the difference between the RADIUS/NAS encryption and user-password encryption.
Per the FreeRADIUS document, "That shared secret followed by the Request Authenticator is put through a one-way MD5 hash to create a 16 octet digest value which is xored with the password entered by the user, and the xored result placed in the User-Password attribute in the Access-Request packet."
Now I am just wondering how strong the encryption is on the request packet between RADIUS and NAS.If it is just MD5, then the password could be very quickly cracked. Would it be secure enough to use the communication between RADIUS and NAS over the internet?
Thanks a lot,Paul
On Wednesday, May 26, 2021, 2:25:28 PM PDT, Alan DeKok <aland at deployingradius.com> wrote:
On May 26, 2021, at 3:03 PM, Honglak Kim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Does FreeRadius support sha128 or sha256 for the user encrypted password?
Yes. The PAP module supports a wide range of encrypted passwords.
> We are using the internet to communicate between the radius server and network devices.Therefore more strong encrypted password method seems necessary.
That is not how RADIUS works.
The passwords between the NAS and the RADIUS server are already encrypted with the RADIUS shared secret. The RADIUS server gets a clear-text password in the User-Password attribute.
How the passwords are stored in the DB (SHA or whatever) is entirely unrelated.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users