Hello Everybody, We are dealing with secuirty problems of Radius in proxy chaining setup whre end-to-end security is missing. According to RFC 2607 (Proxy Chaining and Policy Implementation in Roaming) follwing are the security threats :
Message editing Attribute editing Theft of passwords Theft and modification of accounting data Replay attacks Connection hijacking Fraudulent accounting We are particulary intrested to solve the problem of Theft of password. Our idea is based on the assumtion each remote or home Radius server will have its own key pair (public and private key). whenever a user is in some other domain, then the user will sends it's passwrod encrypted with the public key of its home radius sever and send to NAS of visting domain, which will further encrypt and send to its Radius server which will forward to the Remote Radius server. Upon receving Access-request remote radius server as a first step decrypt the password field with the shared secret between itself and proxy radius server residing a hop before remote server. And finally the remote server decrypt the passwod field with its private key. Now the password is in clear text for authenticaiton. The advantage of this scheme is proxy radius server cannot see password in clear text. We are planning to implement this feature. I would like to hear feedback and comments on this scheme. Is there any other way to overcome theft of password threat? Thanks in advance. Tahseen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html