At 11:54 AM 5/15/2002 -0400, Alan DeKok wrote:
>Chris Parker <[EMAIL PROTECTED]> wrote:
> > That could be solved by establishing an IPSec tunnel between our radius
> > and your servers, setting up a direct network connection ( peering point )
> > for exchange of radius/authentication traffic, or installing a server
> > at our colo facility so auth traffic never crosses a third-party network.
> >
> > > Anybody making NAS boxes that support IPSec tunnelling?
> >
> > Yes, but the number that support IPSec tunneling of radius packets is
> > about equal to the number that support EAP authentication. :\
>
> I'm curious if there would be any use/interest in hacking FreeRADIUS
>to "encrypt" packets it's sending to a proxy.
I wouldn't invent a proprietary method.
> Pro: Some minor peace of mind
>
> Con: It's only interopable with itself.
Maybe. I think support somehow for enabling IPSec to be used between
selected clients would accomplish this. It would also serve to "hide"
the radius attributes that are all sent clear-text ( making MitM and
sniffing attacks ) significantly more difficult.
Would that be done at the freeradius level, or at the kernel/ip stack
level though... Hmmmm.... I'm intriguied now. :)
> Con: There's no guarantee that anything we can come up with will be
>secure or even useful.
If we could incorporate IPSec support somehow, it'd be interoperable
with anything else that speaks IPSec. :)
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
