I asked a similar question a while back There is some basic encryption on the password (using the shared secret as a key). However, the rest of the details (username, phone number) are all transmitted in plaintext.
And the encryption on the password is very weak. Search for a program called radsniff if you want to see exactly how weak. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix ----- Original Message ----- From: "Ilguiz Latypov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 16, 2002 10:34 AM Subject: Re: promiscuous authentication > > I agree that promiscuous authentication is not how FreeRadius was supposed > to work. Sorry for not reading the documentation first. I thought that > communication between Radius clients and servers is secure by design. Is > this not always true? > > Ilguiz > > On Mon, 15 Jul 2002, Alan DeKok wrote: > > > > Is this a good idea to allow testing of a given user name/password pair > > > from anywhere in internet? > > > > I would say no. I'm not sure why it would be necessary, and it's a > > bad idea to expose a RADIUS server to anyone's traffic. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
