Thanks Alan,
At the moment we have restricted the accounting data to a layer 2 VPLS
segment however I'll investigate the use of IPSEC as well to let those that
worry about these things sleep better at night.
n
On Tue, Aug 10, 2010 at 3:53 AM, Alan Buxey wrote:
> Hi,
>
> > My thinking was to us
Hi,
> My thinking was to use radsecproxy->freeradius (my nas, coova, supports
> radsec).
>
> Any comments on ipsec vs radsec?
RADIUS with TLS over TCP (what some define as 'RADSec') is good. cant wait
until
all mainstream RADIUS servers support it natively. until then, RADSecproxy
will do
w
On 2010/08/09 11:14 PM, Alan DeKok wrote:
The accounting data is sent in the clear on a LAN. This shouldn't be
a problem.
If you're sending accounting data across the Internet, use IPSec.
Don't even pretend to use anything else. RADIUS (and TACACS+) security
is simply not as good as IPSe
Natr Brazell wrote:
> Wasn't suggesting I'd use TACACS+. I am in the process of replacing my
> customers existing TACACS+ architecture however they keep coming back to
> the ability of TACACS+ over Radius to secure, or rather, not send
> accounting data across the network in the clear. (I assume
:)
Wasn't suggesting I'd use TACACS+. I am in the process of replacing my
customers existing TACACS+ architecture however they keep coming back to the
ability of TACACS+ over Radius to secure, or rather, not send accounting
data across the network in the clear. (I assume this is the case) I thi
We would be stuck with static weak security built in to RADIUS just like
TACACS uses.
There are options for securely tunneling RADIUS packets that weren't
available in the early years. Secure tunneling doesn't require changes
to the RADIUS protocol. The EAP-TLS extension alone has made most of
Curious why we're fortunate? Could you elaborate some?
On Sun, Aug 8, 2010 at 10:01 PM, Michael Lecuyer wrote:
> TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+
> version, and packet sequence number. This is XOR'd over the packet. The pad
> is in multiples of the MD5 ha
TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+
version, and packet sequence number. This is XOR'd over the packet. The
pad is in multiples of the MD5 hash length.
The header is sent plain text and includes the sequence number, the
session ID and version number.
Enco
Thanks,
I'm looking into IPSEC at the moment. I'm curious how TACACS+ does their
encryption?
N
On Fri, Aug 6, 2010 at 4:09 PM, Alan DeKok wrote:
> Natr Brazell wrote:
> > Is there a way to secure the communication between the radius server and
> > the NAS especially wrt accounting data?
>
> I
Natr Brazell wrote:
> Is there a way to secure the communication between the radius server and
> the NAS especially wrt accounting data?
IPSec.
Most NASes implement IPv4, and not much else. "Security" means "don't
run RADIUS over a network where users have access".
Alan DeKok.
-
List info
On Aug 6, 2010, at 12:32 PM, Natr Brazell wrote:
> Is there a way to secure the communication between the radius server and the
> NAS especially wrt accounting data?
I assume RADSEC will handle Accounting data too, but it's only a draft
currently. IPSec? Create tunnels between the NAS and the
Is there a way to secure the communication between the radius server and the
NAS especially wrt accounting data?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
12 matches
Mail list logo