Hi, > 2. what is the best way to have encrypted transport > and encrypted passwords?
It depends on what you mean by encryption. Of course you can encrypt stuff by some symmetric encryption method and store the key to get the cleartext from the encrypted text somewhere (e.g. radius secrets), but that essentially means the password is protected just by another password which is somewhat pointless. So, the term "encrypted" password as its used in normal conversation is just missleading. It normally really means "something which allows you to check correctness of the password, but doesn't allow you to get back to the password, no matter what". Typically, it's a hashed password or a challenge-response protocol or something similar, _not_ an enrypted password. In that sense, you can have _either_ encrypted transport (i.e. the server sends a challenge and the client encrypts the challenge using the password as encryption key), then the server needs to know the password to verify the correctness ((MS-)CHAP protocols). _Or_ you can transfer the password ("unencrypted" transport) and let the server check that it can be hashed to the correct value (PAP-protocol). However, you cannot avoid the need to _either_ actually transfer the password in every authentication _or_ have the server always know the password. Of course, if you decide to transfer the password, you can add some protection such that not everybody sniffing the conversation can immediately read it (that's what the radius secret is used for in the conversation between AP and radius server, conversation between client and AP is the more vulnerable part, though). And just the same, if you decide to store in on the server, you can add some protection such that not everybody sniffing on your local network can easily read it (e.g. putting it on a local disk instead of transporting it via NFS/Samba/whatever or putting it in an encrypted file or putting it in a file readable by root only and what ever else you can come up with). Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html