MD5 is broken.
Thanks for the public service announcement.
Pleasure!
Do you seriously think the IETF, and the people responsible for RADIUS
protocol evolution, aren't aware of this?
Seriously, what would you like us to do exactly? Travel back in time
to the mid 1990s and re-do the first RADIUS implementations with
end-to-end pluggable crypto, and at the same time arrange for the
Wassenaar agreement to be revoked?
If you want better security than that provided by the shared secret,
you're free to arrange it between your NAS and your radius server.
Some places use IPSec for this purpose, or things like OpenVPN.
Up until yesterday, I wasn't aware that the only way AP/NAS can
communicate with the RADIUS is via unencrypted channel. That's fair
enough, I suppose, once I know what I am up against I will take the
appropriate actions/measures to mitigate the possible security
implications and reduce the risks, if I can. I wasn't making a "public
announcement", it was merely an observation - stop being so precious!
HOWEVER - before you do that, and before you make any more
announcements on how insecure RADIUS is, perhaps you could actually
put some time and effort into understanding the protocol. You are
missing two critical bits of info:
[...]
Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS
vendors support it? No. Can we afford to stop using RADIUS? No.
Thank you - if I knew where to look for this information, I would have
done it ages ago.
The question is - how do I specify the CA, CA2, server certificate/key
and server certificate/key second pair (for phase two) in RADIUS?
Specify two different instances of the eap module. There is an example
of this in the default configs in recent 2.1.x versions - see
raddb/modules/inner-eap. Once you've done that, use the 2nd module
inside your inner-tunnel, like so:
Thanks again, I wasn't aware that I could have inner/different
instances. Apart from the various, rather scattered, files with sample
configuration examples is there a more comprehensive manual which
includes (and explains) all these options? I'd rather read those than
relying on jamooks like DeCock to explain it all to me (or not, as it
may be the case here)?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html