On Feb 18, 2008 12:32 PM, <[EMAIL PROTECTED]> wrote: > Hi, > > cleartext? not really. the proxied traffic will be at least
This regards EAP-TLS: I meant that at least the username is shown, and you can get additional information reading the attribute values. Other than that, everything else seems useless but I just say the conversation is not completely encapsulated if that's what you mean. Anyways I'm not worried. > encapsulated via a shared secret between each RADIUS end point. snip > would give greater security. however, EAP-TLS is the defacto > top-level way of doing it. platinum service, as it were - but > you've got to have a full PKI infrastructure for creation, > deployment and revokation. We have our PKI, we routinely revoke certificates and distribute the crl. This happens not without our share of anality, taken care of by scripts (written with my blood, over human skin) that restart radiusd and check that everything is still working fine, including the event of an expired/invalid crl or an out of service PKI. So, if there is any configuration option to encapsulate the full UDP payload without revealing anything, I'm more than glad to hear something about it because I must admit ignorance regarding this particular matter. If there isn't one, never mind, just means I misunderstood. > looking to the future, RADSEC will be involved in 'beefing up' > the RADIUS to RADIUS communication channel. as well as the > automatic assignment/discovery of AAA end point systems. seems interesting bye! Inverse -- "In a sea of glass shards, I hear you screaming" --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
