#24: Backend password attacks > Section 4.5 > > "These typically > require the password in its original text form in order to > authenticate the peer, hence they require the peer to send > the clear > text user name and password to the EAP server." > > One of the issues with support for cleartext passwords are > the potential attacks against the AAA backend (e.g. > User-Password attribute) in split authentication scenarios. > Is it worth calling this out? >
How about adding the following to security considerations section: "If the inner method is terminated at a different location than the outer tunnel then the inner method data may be vulnerable to modification and eavesdropping between the server that terminates the tunnel and the server that terminates the inner method. For example if a clear text password is used then it may be sent to the inner method server in a RADIUS password attribute which uses weak encryption that may not be suitable protection for many environments. " -- Ticket URL: <http://wiki.tools.ietf.org/wg/emu/trac/ticket/24> emu <http://tools.ietf.org/wg/emu/> _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
