If you've got sufficient control over CPE and CPE is all sufficiently
capable, you should be doing EAP-TLS authentication anyway. if CPE is
compromised, you can simply reflash, replace the credentials, and revoke
the old ones.
On 9/20/2011 04:18, Raz Muhammad wrote:
Hi,
We are successfully running the following version on our network for
our DSL users.
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
FreeRADIUS was compiled with MySQL and radcheck is used for
authentication along with other relevant tables.
We recently had a scenario where security of a CPE is a concern, and
using PPP authentication is not enough. Someone suggested using
Routers mac address along with PPP username/password authentication.
But this method would relay on getting the router Mac address during
the PPP negotiation, and it might be coming via the calling-station-id
attribute, some suggestions are about using EAP and certifcates on the
router.
I would like to find out what would be the best way to go for extra
layer of authentication based security while using FreeRADIUS? and how
can that be done with MySQL?
Regards
Raz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
