>From the security point of it would be easier to launch some type of >non-repudiation attacks without the need of spoofing I think. The shared >secret can easily be recovered by sniffing some RADIUS traffic and decrypting >it. I think this is even mentioned in the RFC. So removing one lock and only leaving an unsecure lock isn't a good idea I think...
Rgds Marc -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Marcin Jessa Gesendet: Freitag, 15. Juli 2005 13:10 An: FreeRadius users mailing list Cc: [EMAIL PROTECTED] Betreff: Re: Allowing any NAS to connect to my radiusd. On Fri, 15 Jul 2005 11:42:57 +0100 "Guy Davies" <[EMAIL PROTECTED]> wrote: > Hi Marcin, > > You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can > use the same key. I think that doing 0.0.0.0/0 would be a very bad plan > since it only requires that an attacker know the shared key to be able > to send valid requests. Since all your devices are matched by a single > entry then *all* your devices by definition must use the same key Good point, they'd need the same key. >and it > becomes more likely that the knowledge of that key will "get out" and > you'll have the tedious task (if you even notice) of changing the secret > key on every single NAS. > > If you can constrain it to a small subnet, then that's slightly better > (although still somewhat risky). > > The best method is to have individual clients listed with *unique* keys > per client (yes, I know this is a real pain but if you want security > this is about the best you can do with the limited security afforded by > the shared key). I know how things work, I was just wondering about the approach since that would make some things easier for me. What other risks does one run when others to query your radiusd ? I dont think dictionary checks are that useful since passwords and username are all pretty long and use special characters. Could this have a more serious impact on the server like DOS or such ? > Rgds, > > Guy > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of Marcin Jessa > > Sent: 15 July 2005 11:29 > > To: FreeRadius > > Subject: Allowing any NAS to connect to my radiusd. > > > > > > Hi. > > > > I would like to allow any NAS IP to connect to my radius > > server restricting connections from NAS only with shared > > secret - username and password. Is it possible to use 0.0.0.0 > > or ANY in clients.conf/SQL nas table ? What are the security > > issues having an open setup like that ? > > > > Cheers > > Marcin Jessa. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > This e-mail is private and may be confidential and is for the intended > recipient only. If misdirected, please notify us by telephone and confirm > that it has been deleted from your system and any copies destroyed. If you > are not the intended recipient you are strictly prohibited from using, > printing, copying, distributing or disseminating this e-mail or any > information contained in it. We use reasonable endeavours to virus scan all > e-mails leaving the Company but no warranty is given that this e-mail and any > attachments are virus free. You should undertake your own virus checking. > The right to monitor e-mail communications through our network is reserved by > us. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
