On 2010/08/09 11:14 PM, Alan DeKok wrote:
The accounting data is sent in the clear on a LAN. This shouldn't be
a problem.
If you're sending accounting data across the Internet, use IPSec.
Don't even pretend to use anything else. RADIUS (and TACACS+) security
is simply not as good as
Hi,
My thinking was to use radsecproxy-freeradius (my nas, coova, supports
radsec).
Any comments on ipsec vs radsec?
RADIUS with TLS over TCP (what some define as 'RADSec') is good. cant wait
until
all mainstream RADIUS servers support it natively. until then, RADSecproxy
will do
what
Thanks Alan,
At the moment we have restricted the accounting data to a layer 2 VPLS
segment however I'll investigate the use of IPSEC as well to let those that
worry about these things sleep better at night.
n
On Tue, Aug 10, 2010 at 3:53 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+
version, and packet sequence number. This is XOR'd over the packet. The
pad is in multiples of the MD5 hash length.
The header is sent plain text and includes the sequence number, the
session ID and version number.
Curious why we're fortunate? Could you elaborate some?
On Sun, Aug 8, 2010 at 10:01 PM, Michael Lecuyer m...@iterpacis.org wrote:
TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+
version, and packet sequence number. This is XOR'd over the packet. The pad
is in
We would be stuck with static weak security built in to RADIUS just like
TACACS uses.
There are options for securely tunneling RADIUS packets that weren't
available in the early years. Secure tunneling doesn't require changes
to the RADIUS protocol. The EAP-TLS extension alone has made most
:)
Wasn't suggesting I'd use TACACS+. I am in the process of replacing my
customers existing TACACS+ architecture however they keep coming back to the
ability of TACACS+ over Radius to secure, or rather, not send accounting
data across the network in the clear. (I assume this is the case) I
Natr Brazell wrote:
Wasn't suggesting I'd use TACACS+. I am in the process of replacing my
customers existing TACACS+ architecture however they keep coming back to
the ability of TACACS+ over Radius to secure, or rather, not send
accounting data across the network in the clear. (I assume
Thanks,
I'm looking into IPSEC at the moment. I'm curious how TACACS+ does their
encryption?
N
On Fri, Aug 6, 2010 at 4:09 PM, Alan DeKok al...@deployingradius.comwrote:
Natr Brazell wrote:
Is there a way to secure the communication between the radius server and
the NAS especially wrt
Is there a way to secure the communication between the radius server and the
NAS especially wrt accounting data?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 6, 2010, at 12:32 PM, Natr Brazell wrote:
Is there a way to secure the communication between the radius server and the
NAS especially wrt accounting data?
I assume RADSEC will handle Accounting data too, but it's only a draft
currently. IPSec? Create tunnels between the NAS and the
Natr Brazell wrote:
Is there a way to secure the communication between the radius server and
the NAS especially wrt accounting data?
IPSec.
Most NASes implement IPv4, and not much else. Security means don't
run RADIUS over a network where users have access.
Alan DeKok.
-
List
12 matches
Mail list logo