Sebastien Chapiron wrote: > I'm trying to setup a radius server in order to authenticate users from > OpenVPN and I am therefore using the libpam-radius-auth plugin (on > Ubuntu 9.10). > Since the RADIUS requests that this lib sends are using PAP (as far as I > can tell from the freeradius debug output), i was wondering whether it > would be possible to send EAP message using libpam-radius-auth (or at > least [MS]CHAP) ?
Not at this time. > I don't even know if it makes sense since EAP messages > are in theory sent between the radius server and the access client (not > the radius client as libpam-radius-auth enables a host to be). > The point is that i don't quite like my users' password (connected via > OpenVPN) to be weakly encrypted by the shared secret between the radius > client and server That's how RADIUS works. I would suggest using a secure network to connect the RADIUS client and server. > and even worse, visible as plain-text in FR debug output. That's how RADIUS works. Anyone having root on that machine can decode the passwords. Anyone running the server in debugging mode can see the passwords. MS-CHAP won't help. Your passwords are either stored in clear-text in the database (which means someone can read them), or they're hashed, which means (pretty much) that only PAP will work. > P.S: using IPSec to secure the channel between the radius client and > server is too much pain in the ass to be considered as a viable > solution. I'm not *that* paranoid ! <shrug> Using a real cryptographic protocol to secure network communications is the only way to have a secure network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
