Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1783 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS Auth types

MillardJK
I finally figured out how to get the test for RADIUS (against Windows 2003 IAS) to work: enable PAP authentication. However, I'd feel a LOT more comfortable if the passwords weren't being thrown around in plaintext. Is there some way to force 7.304 to use something a little stronger (at least CHAP, but MS-CHAPv2 would be even better!)?


This thread was automatically locked due to age.
Parents
  • 0
    What makes you think the passwords are thrown around in plain text?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    By definition, PAP is a plaintext authentication type. The IAS log indicates that PAP is the authentication type, so the implication is that it's done 'in the clear.'
  • 0 in reply to MillardJK
    From the Wikipedia article on RADIUS: 
    The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords.

    Do you know if IAS supports more-secure techniques with RADIUS?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hmm... I misunderstood the communication between devices. IAS uses the same "shared secret" technique just like every other RADIUS device; it's the standard setup.
Reply Children
  • 0 in reply to MillardJK
    But, I think you are correct about the username being passed in plaintext.  It seems like a reasonable feature request to add a bit of security to RADIUS authentication with Astaro.  I just checked and saw that IAS 2003 does MS-CHAP and SPAP in addition to the ones you mentioned in your original post.

    Thanks - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner