[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: [EXT] Multiple NAS clients within same network
From: Alan DeKok <aland () deployingradius ! com>
Date: 2022-10-04 18:23:14
Message-ID: F1F2ED4E-DD55-4907-94C4-087D4735BDF0 () deployingradius ! com
[Download RAW message or body]
On Oct 4, 2022, at 1:39 PM, Brian Julin <BJulin@clarku.edu> wrote:
>
> Alan DeKok <aland@deployingradius.com> wrote:
> > Use RADIUS over TLS. It solves this problem, and is secure.
> > I have a document which I will be working through the IETF as a new RADIUS \
> > standard. It will officially deprecate RADIUS/UDP, and require TLS transport for \
> > most situations. The document will also explain just how bad an idea it is to run \
> > RADIUS/UDP over the Internet. Do you like people breaking all of your security? \
> > No? Then don't run RADIUS/UDP over the Internet.
>
> That surely cannot be emphasized enough. It's surprising people do it.
I just submitted a document to the IETF:
https://datatracker.ietf.org/doc/html/draft-dekok-radext-deprecating-radius-00
And wrote an article on it:
https://networkradius.com/articles/2022/10/04/radius-insecurity.html
From the IETF document:
4. All short Shared Secrets have been compromised
Unless RADIUS packets are sent over a secure network (IPSec, TLS,
etc.), administrators should assume that any shared secret of 8
characters or less has been immediately compromised. Administrators
should assume that any shared secret of 10 characters or less has
been compromised by an attacker with significant resources.
Administrators should also assume that any private information (such
as User-Password) which depends on such shared secrets has also been
compromised.
Further, if a User-Password has been sent over the Internet via
RADIUS/UDP or RADIUS/TCP in the last decade, you should assume that
password has been compromised by an attacker with sufficient
resources.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic