John Dennis wrote:
> On 08/26/2009 04:16 AM, Rachid Zarouali wrote:
>> Hello Dimitri,
>> I'll try to answer your questions the best i can :-)
>>
>> Basically we plain to use the ldap ipa password.
>> at first we want to use radius for authentication only.
>>
>> i'm not sure about what you call outer/inner methods :(
>> the base of the authentication is the project is the ipa ldap
>> on which we try to connect a freeradius server which is used to
>> authenticate admin's on router/firewall .....
>>
>> am i clear ?
>
> If it's just admin access on a router/firewall I don't see a problem
> at the moment. You should be able to use PAP on the router/firewall,
> it encrypts the plaintext password and sends it to the freeradius
> server which decrypts resulting in the plaintext password. The
> freeradius server would then be configured to use Kerberos, it uses
> the plaintext password and obtains a TGT (i.e. it does a kinit on
> behalf of the user) if this is successful the radius authentication is
> successful. All this should work "out of the box" for both IPA and
> FreeRADIUS (although you'll have to edit the FreeRADIUS config to
> enable krb5).
>
> We're not thrilled with this solution because the radius server sees a
> plaintext password (although it's encrypted during transport). The
> security is adequate but not ideal. Safer authentication methods
> require us to do more integration work between IPA and FreeRADIUS,
> which at the moment is a deferred work item.
I agree with John, PAP would most likely work in this case but as John
mentioned would not be ideal from security point of view.
Before we lock on lowest common denominator which is PAP let us see if
there is anything we can do to make it a bit more secure.
Your routers and firewalls have a set of the authentication methods they
support.
PAP is the basic method. There are also more advanced so called EAP
methods (Extensible Authentication Protocol) .
Those EAP methods  usually establish a tunnel and then pass the
authentication inside this tunnel.

In the pure RADIUS case without EAP PAP will use a shared secret known
by your end point and RADIUS server to hash the password using
reversible hashing algorithm.
Shared secrets should be pretty long to avoid dictionary attacks. I
would not be comfortable with them being less then 128 bit of entropy
(random alphanumeric with punctuation 20 character shared secrets would do).
But this is still not as comfortable as SSL for example. So there is an
EAP method that allows passing your password inside the SSL encrypted
blob (PEAP). The SSL can be just a tunnel or an authenticated tunnel
(the client and server can mutually authenticate each other during the
handshake). So this would be an outer method. Inside SSL tunnel you can
pass clear text password,  PAP, CHAP etc. In this case PAP will be an
inner method.

So the first step is to determine what auth methods your routes and
firewalls support. The RADIUS servers support  a lot of different inner
and outer methods.
So may be PAP can be tunneled using PEAP or some other method supported
both by your routers and RADIUS server. This needs to be investigated.
When we know what the routers are capable of we would be able to advice
if there any more secure configuration than just PAP.

-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to