Hi, > These passwords are the ones I think should be protected since they are > usually long-term and sensitive. Migrating every NAS to Active Directory > defeats the separation of system administration from network administration, > each time a new NAS has to be configured you would have a system admin create > it for you under the correct OU and he would be the one to manage it in the > future. If you want to have a AAA server for network admins only, you'd have > to keep the passwords in cleartext.
..so...you're talking about the shared secret password? how people deploy their RADIUS server is down to them - but in most cases its the network team that run the RADIUS server (from what I've seen) with the system admin looking after the OS.... as for 'defeating the seperation' - hello? its 2015 - we're all supposed to be working together and avoiding living in silos...all unified and not a tribal thing (indeed, virtualisation systems such as VMware and HyperV are defeating you too - the system admins now look after their network.... > Assuming you kept all NAS credentials on the server (unencrypted), you would > in fact be providing any user with local admin on the server permission to > access credentials which shouldn't concern them. I'd imagine in this day and > age that big companies would want something like that mitigated. dont let people onto the system who shouldnt be on there. the people going on there know the shared secret anyway. > I'm interested in hearing if other users feel that these security measures > are a worthy enhancement for future versions. At the very least it would help > to be less dependent on existing system architecture for securing credentials. if other servers didnt do the same thing, i would think RADIATOR was wrong. but FreeRADIUS and radsecproxy both do to. they expect the admin to be running secure servers (maybe ones not used for ANY other purpose as a minimum) alan _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
