| Josh,
| Thanks for the
reply.
From Josh Howlett <[EMAIL PROTECTED]> |
>
>The User-Password attribute is protected
to a reasonable degree of
>security if you make the effort to generate (and protect) a "good" >secret for your RADIUS peers. This generally satisfies the cryptowonks >in the places I've seen RADIUS deployed. The problem is that for a large
deployment (say, hundreds of client hosts), managing those secrets becomes an
issue. If you share secrets then the compromise of 1 system reveals the secret
for all systems sharing it, if you keep individual secrets, you need to track
them and make sure the configurations on the machines are right.
Administratively, it becomes
easier if you could just depend on a negotiated TLS connection.
> Failing that, IPSec with PSK is the next easiest solution. I wanted to see where the client
library rabbit hole would lead me before going to IPSEC or other external
tunnelling tools.
Thanks,
Steve
|
