[EXT] Multiple NAS clients within same network
Alan DeKok
aland at deployingradius.com
Tue Oct 4 18:23:14 UTC 2022
On Oct 4, 2022, at 1:39 PM, Brian Julin <BJulin at clarku.edu> wrote:
>
> Alan DeKok <aland at deployingradius.com> wrote:
>> Use RADIUS over TLS. It solves this problem, and is secure.
>> I have a document which I will be working through the IETF as a new RADIUS standard. It will officially deprecate RADIUS/UDP, and require TLS transport for most situations.
>> The document will also explain just how bad an idea it is to run RADIUS/UDP over the Internet. Do you like people breaking all of your security? No?
>> Then don't run RADIUS/UDP over the Internet.
>
> That surely cannot be emphasized enough. It's surprising people do it.
I just submitted a document to the IETF:
https://datatracker.ietf.org/doc/html/draft-dekok-radext-deprecating-radius-00
And wrote an article on it:
https://networkradius.com/articles/2022/10/04/radius-insecurity.html
From the IETF document:
4. All short Shared Secrets have been compromised
Unless RADIUS packets are sent over a secure network (IPSec, TLS,
etc.), administrators should assume that any shared secret of 8
characters or less has been immediately compromised. Administrators
should assume that any shared secret of 10 characters or less has
been compromised by an attacker with significant resources.
Administrators should also assume that any private information (such
as User-Password) which depends on such shared secrets has also been
compromised.
Further, if a User-Password has been sent over the Internet via
RADIUS/UDP or RADIUS/TCP in the last decade, you should assume that
password has been compromised by an attacker with sufficient
resources.
More information about the Freeradius-Users
mailing list