On Tue, May 4, 2010 at 12:57 AM, Sharad Birmiwal <[email protected]> wrote: >>> Radius is generally used for 802.1x authentications, which does not >>> seem to be relevant in any way to authentication for a web service. >> >> You see chance, I see cause .... >> a Lightweight Kerberos... a small tilt in the tale .. will bring the light. >> Jan 1, 2011 lets hope the day will bring your mail in your 'box' only. > > http://en.wikipedia.org/wiki/RADIUS#Security_2 > > The way I understand things is that RADIUS does not offer encryption > (for payload or bulk of data). That's where this conversation started > from (http/https). It is used for authorization (in our context). That > means validating whether the given username/password are correct or > not. > > RADIUS can be (is?) used for authenticating and accounting say for > users who connect to a wireless service. Again, it does not manage > encryption of the traffic afterwards. > > As Nitesh suggested earlier, TLS might be better supported for what > you want -- I don't know anything about TLS but I am guessing what > Nitesh meant was that in TLS, both server and client negotiate which > encryption standard they want to use (much like ssh).
Exactly. During the negotiation phase, the client sends a list of cipher specs that are supported by the client, with the client's first preference first. For the list of cipher suits that are defined by the standard, visit http://tools.ietf.org/html/rfc2246#appendix-A.5 The server replies with an acceptable cipher suite, from the ones that the client has sent, otherwise sends a failure message. For details: http://tools.ietf.org/html/rfc2246 And BTW, the MAC address (which is used by radius for authentication, the so called hardware), is a link layer thingie, which has no significance beyond your router. Cheers Nitesh Mor > > > SB > > -- > l...@iitd - http://tinyurl.com/ycueutm > -- l...@iitd - http://tinyurl.com/ycueutm
